a policy driven approach to software defined networking by amir sharif at suse openstack partner...
TRANSCRIPT
![Page 1: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/1.jpg)
Copyright 2013 Alcatel-Lucent. All rights reserved.@amir_sharif
Amir SharifBusiness DevelopmentNuage Networks
A Policy Driven Approach to Software Defined Networking
![Page 2: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/2.jpg)
SDN in 2014
OpenFlow Controllers
Network Virtualization
White Box Switching
Open Source Projects
Network as a Service
Plenty of Innovation and Disruption…
![Page 3: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/3.jpg)
Why SDN?
Reduce Cost
Asset Utilization
Self Service
Automation
Make the network more “Cloud” like
We’re making great progress
![Page 4: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/4.jpg)
The “Consumption shift”
Cloud is changing the way technology is being consumed
From “order and wait”
To “instant gratification”
Consumer expectations are shifting
Multiple personas
Single user
On-demand personalized catalogue
![Page 5: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/5.jpg)
Compute is Virtualized
Available in Minutes
Network is Partially Virtualized
Configuration takes Days/Weeks
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
Help Desk
Change Control
IP
Address
VLAN
Address
Firewall
Configuration
LAN (VLAN)
Configuration
WAN (IP)
Configuration
Security / QA
Team
Project
Coordinator
Network Change
completed in
days/Weeks
00:01
Datacenter Network
Service velocity is hindered by manual network process
![Page 6: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/6.jpg)
Network is “more” virtualized
Some things available in minutes – Some not so much
Many network elements are manually configured
Manual per-tenant network configurations
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
SDN Controller
Some Network
Change completed
In Minutes
00:01 00:01
Software Defined Datacenter Network
Service velocity accelerated, but…
![Page 7: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/7.jpg)
Committees still build “networks”
Audits/reviews
In a NaaS environment (OpenStackNeutron, AWS, etc) this is delegated to the tenant
Is this what your DevOps team should be doing?
NetworkConfiguration
Software Defined Network Configuration
We’ve only addressed part of the automation problem
DevOps Team
VLAN
Address
IP
Address
WAN (IP)
Configuration
Firewall
Configuration
Network
Configuration
created in days/Weeks
![Page 8: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/8.jpg)
Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups
neutron net-create web
neutron subnet-create web 10.0.0.0/24
neutron router-create router1 neutron router-add-interface router1 web
…
Not abstracted into a consumable model
OpenStack Neutron Networks
web
VM VM VM VM VM VM
app db
Puts the burden of topology design on the DevOps team
![Page 9: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/9.jpg)
DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals
Should not be burdened with the implementation details Routes, Subnets, VLANs
The DevOps team needs an Abstracted view
A DevOps View
web
VM
VM
VM
app
VM
VM
VM
db
VM
VM
VM
![Page 10: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/10.jpg)
What is a network Policy?
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• An Application-centric approach to networking• Moving away from traditional network constructs
• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to
• express desired connectivity of application components• and express high-level policies governing that connectivity
• Without imposing constraints on the underlying implementation
![Page 11: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/11.jpg)
Policy Abstractions for Neutron
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
Outside EPG
Web EPG App EPG DB EPG
VM
VM
VM
VM
VM
VM
VM
VM
Web Contract
App Contract
App Contract
Public Network
Private Networks
• Endpoint (EP) – an IP addressable entity• Endpoint Group (EPG) – a grouping of Endpoints• Policy Rule – individual rule that defines communication criteria• Contract – a collection of Policy Rules that are applied to traffic between EPG’s
![Page 12: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/12.jpg)
APPLICATIONATTRIBUTES
SDN FRAMEWORK
TOPOLOGYATTRIBUTES
Service Mapping
Service Binding
Application Request
TECHNOLOGYATTRIBUTES
web
V
M
V
M
V
M
app
VM
VM
V
M
web
V
M
VM
VM
web app db
To Achieve a Policy Driven Network
![Page 13: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/13.jpg)
Policy Driven Networking Delivered
Nuage has provided policy abstractions for virtual and physical networks since our first release
L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics
Difficult to express using existing Neutron constructs…
Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron
![Page 14: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/14.jpg)
Cloud Service Management Plane
Datacenter Control Plane
DatacenterData Plane
VirtualRouting & Switching
R3.0 GA in September 2014
VirtualizedServicesDirectory
VirtualizedServicesController
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
Brooklyn Datacenter - Zone 1
Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics
Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set
Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets
Nuage NetworksVirtualized Services Platform (VSP)
IP Fabric
Edge Router
MP-BGPMP-BGP
Hardware GW for Bare Metal
Nuage Networks Virtual Services Platform
![Page 15: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/15.jpg)
DATACENTERNETWORK
. . . .
Any Compute Virtualization Environment
Any Datacenter Networking Hardware
Any Server or Hypervisor
Open solution
Consistent capabilities across
![Page 16: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/16.jpg)
Nuage Networks policy templates and role-based workflow
Compute Management
Tenant / Application RequestNetworking
Security/
Compliance
Service velocity is not hindered by manual network process
Auto-instantiation
Compute Request
completed in Minutes
00:01
IP address
WAN interconnect
Policy / Security Zones
L2 /L3 Service AD
Service chaining
Templates
Nuage Networks VSP
Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …
Network Change
Completed automatically
00:01
![Page 17: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/17.jpg)
Conclusions
• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but …
• Creates a distributed virtual configuration and management challenge
• Provisioning and management of these endpoints can not be done with traditional methodology
• Policy abstraction is a proven framework
• Successfully shipping since May 2013
![Page 18: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/18.jpg)
For more information…
• Nuage Networks Virtualized Services Platform
• http://www.nuagenetworks.net
• OpenStack Neutron Group Based Policy Abstraction
• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• OpenDaylight Application Policy Plugin
• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin
![Page 19: A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner Theater](https://reader033.vdocument.in/reader033/viewer/2022060205/55a108d51a28ab6d6a8b46de/html5/thumbnails/19.jpg)
2111/10/2014
Network Policy NOW
@nuagenetworks
@amir_sharif