cloud networking is not virtual networking - london vmug 20130425
DESCRIPTION
Talking how and why virtual networking that we use today is not suitable for use in Cloud deployments. First I talk about the gap between "server" & "networks", then discuss the problems of virtual networking that we use today. Then into using software appliances instead of physical devices by highlighting the good & bad. Then a brief overview of Software Defined Networking and how it will impact Cloud Networking in the next two years,TRANSCRIPT
PacketPushers.net
Cloud Networkingis NOT Virtual Networking
PacketPushers.Net
About Me
• Host of Packet Pushers Podcast PacketPushers.net
• “Cloud Plumber” at Canopy Cloud Cloud Network Architect, Office of CTO
( Division of Atos )
• Blog - EtherealMind.com
• NetworkComputing.com (http://
networkcomputing.com/blogs/author/Greg-Ferro)
2
PacketPushers.Net
Agenda
• Why your Network Guy Doesn’t Care About You
• Cloud Networking is not Virtual Networking
• Cloud Network Services
• Where is SDN ?
3
PacketPushers.Net4
Internet Not where servers are
Security
Thingies
Wotsits
"THE LAN"
ServersActive Directory File
SQLMailProvisioning
MAGIC STUFF Friendly)Gnomes
Dark Spirits
Server Admins See...
PacketPushers.Net5
Network Admins see ....
ISP2 ISP1
Firewall
Access Layer
Load Bal
WANB2B
A SERVER
WAAS /CacheIPS/IDS
PacketPushers.Net
Networking is in my way
• The Network is SINGLE SYSTEM
• every element is interconnected to another in the LAN or WAN or both
• Rebooting a device might/could take down the whole network
• If rebooting or reconfiguring a server could cause the entire DC to fail, what would your job look like ?
6
PacketPushers.Net
Data Centres != Universe• I’d like to remind VMware executives that network is bigger than
VMware .......
• “vCDNI means that you never have to talk to the network guy ever again” VMworld 2010 (faceless butthead)
• “Meanwhile, through all of the advances in server virtualization and cloud computing, networking has remained stuck in the past.” - Hatem Naguib, Vice President, Networking & Security - Mar 13, 2013
• Servers connect to Clients
• Network is a platform.
• VMware is just one “network app”.
• take some time to look down the service chain instead of up your own arse
7
PacketPushers.Net
Data Centres != Universe
8
Internet
Campus LAN
Remote Access
The WAN
Wireless
Data Centre
Firewalls
Serversstorage
DC NETWORKCabling
VMware
Network Security
IP Voice
This is you
PacketPushers.Net
What a Server Does
• Servers are Packet Generators
• In SDN, Servers are FLOW Generators
9
PacketPushers.Net
Impact Pyramid10
Power, Physical
Hosts
Users
Connectivity
Applications
Data Centre
Network
Servers, Storage, VMware
Apps
Impact Pyramid • Which failure class causes the greatest impact ?
• A user ?
• One server ?
• A VMware cluster ?
• A storage array ?
• A Network ?
• A Data Centre
PacketPushers.Net
Networking is in my way• Because networks are good enough, the budget gets
there last.
•Wasted investments like patching, virus scan & updates. Networking doesn't have those problems at the same scale.
• Servers were so far behind.
• Custom silicon takes 3-5 years from concept to delivery.
• Too expensive - 5 years depreciation cycle
11
PacketPushers.Net
Rant OverInfrastructure As A Team
12
PacketPushers.Net
Agenda
• Why your Network Guy Doesn’t Care About You
• Cloud Networking IS NOT Virtual Networking
• Cloud Network Services
• Where is SDN ?
13
PacketPushers.Net
Virtual Networking is OLD
• Virtual LANs in 1996
• Virtual Routing in 2002/3 (MPLS)
• Virtual Network Appliances (firewalls, load balancers) in 2007/8
• “Lets do it again” say bitter, cynical networking voices of experience
• Virtual Networking is OLD networking
14
PacketPushers.Net15
Virtual Problems
• Four problems of Virtual Networking
‣ CapEx for all physical appliances
‣ Single points of redundant failure - software in coherent system
‣ No API / poor configurability
‣ Individual autonomous elements ( no vCenter, SCVMM/SCOM equivalent)
PacketPushers.Net
Virtual Networking 1 - CapEx
16
• Initial Large CapEx for Data Centre Network
• Sporadic Upgrades (usually in response to problems)
Time
Capi
tal E
xpen
ditu
re
Network Install
Port CapacityNetwork
Upgrade
Server Upgrades
Server Upgrades
Server UpgradesCapEx Waste
PacketPushers.Net
SVR
WAN
RTR
Internet
RTR
FWL FWL
SVR SVR
SVR SVR
SVRSVR
Stateful HA
Active/Standby
WANInternet
LoadBal LoadBalStateful HA
Virtual Networking 2 - Failure Modes
•Single points of Complex failure
•Why have only one pair of firewalls
‣ routing, cost, power users
‣ Only one or two critical services need HA
•HA systems are inherently risky & shared fate systems.
‣ Active/Standby firewall
•HA in vertical scale system = $$$$$’s
17
PacketPushers.Net
Virtual Networking 3 - Configuration
• Manual Configuration
• All devices are configured using “power tools”
• Every engineer is a “power user”
• Why have an API ? Substandard & lack vendor commitment
• Restricts number of devices (requires power users)
• A serious networking problem.....
18
PacketPushers.Net
Virtual Networking 4 - Autonomy
• Individual autonomous elements
• Central control neither desirable or relevant ie vCenter, SCVMM/SCOPs is risky system.
• Resilient & Distributed Systems like the Internet work well.
• Data Centres are NOT distributed.
19
PacketPushers.Net
VBLOCK
UCS2100 UCS2100UCS 5100
B2xx B2xxB2xx B2xxB2xx B2xxB2xx B2xx
UCS2100 UCS2100UCS 5100
B2xx B2xxB2xx B2xxB2xx B2xxB2xx B2xx
VNX
MDS MDS
UCS2100 UCS2100UCS 5100
B2xx B2xxB2xx B2xxB2xx B2xxB2xx B2xx
Ethernet CoreEthernet Core
NX7K Core Context
NX7K Core Context
LoadBal
UCS6200 UCS6200
LoadBal
NX7K Aggr Context
NX7K Aggr Context
ASA Firewall
ASA Context
ASA Context
ASA Firewall
ASA Context
ASA Context
MPLS/WANInternet
VMDC Design Template v2.1 - Cisco CVD
NX5K NX5K
NX5K NX5K
DMZ SvrDMZ SvrDMZ Svr
DMZ SvrDMZ Svr
Complex, Insecure
•Traffic loops to physical devices
•Insecure (VLANs, Routing)
•Advanced networking skills for dumb results
•Chained failure domains
20
PacketPushers.Net
ManyMoving Parts
21Cisco UCS B-Series Blade/ C-Series Rack Server
vPC
Passthrough Switching (PTS)
Operating System - vSphere
Ethernet dNIC
FEX2100 FEX2100
Ethernet dNIC
FC dHBA
FC dHBA
FI6100 FI 6100
Palo/VIC Software
CNA
Software pNIC
Software pNIC
Software pHBA
Software pHBA
Ethernet dNIC
Ethernet dNIC
FC dHBA
FC dHBA
NexusSwitch
Nexus Switch
Fabric Sync
vPC Link
Connection Pinning
Connection Pinning
Connection Pinning
Ethernet dNIC
FC dHBAmore
Could be PortChannel
•Takes a long time to understand this complexity.
•Automation / Software solves the problem
PacketPushers.Net22
Virtual Networking - Strengths
• performance, scale
• no centralised points of control (failure domain)
• distributed, self healing, eventual consistency
• 20 year proven system, widespread knowledge & expertise
PacketPushers.Net
Define Cloud Networking
Cloud Networking is:
• Network Devices as Software
• Don’t buy hardware. Install software.
• Deploy many small instances (horizontal) instead of one big one (vertical)
23
PacketPushers.Net
Cloud Networking
• Build Network Services with Applications
• Instead of a firewall deploy a Web Service.
• Instead of A Load balancer install the “Sharepoint Load Balancer”.
• One network per service is a huge change in network practice
24
PacketPushers.Net
Cloud Pro & Con’s• Use 20 small network devices than
instead of 1 pair of physical devices
• Distribute complexity, reduce failure
• simpler configuration -> easier operation -> better fault tracing
• More complex network design
• You MUST deploy / build automation & monitoring to manage many devices.
25
PacketPushers.Net
SVR
MPLS/WAN
RTR
Internet
RTR
FWL FWL
SVR SVR
SVR SVR
SVRSVR
DC Design Today26
PacketPushers.Net
MPLS/WAN
RTR
Internet
FWL FWL
SVR SVR
RTR
FWL FWL FWL FWL
RTR RTRRTR
SVR SVR
FWL FWLSVR SVRSVR SVR
SVR
Physical Network Services
VMware vCloudEverything a VM
Cloud Networking27
PacketPushers.Net
Awesome?28
PacketPushers.Net
MPLS/WAN
RTR
Internet
FWL FWL
SVR SVR
RTR
FWL FWL FWL FWL
RTR RTRRTR
SVR SVR
FWL FWLSVR SVRSVR SVR
SVR
Physical Network Services
Cloud Networking Design Problems
•Network Appliances close to server/application•What about routing ? •What about server-to-server communication ? •Better Security. •Business control over applications, developers & business units
29
PacketPushers.Net
Complexity
•Complex Design is a good tradeoff for Better DevOps
•Complexity can be solved with AUTOMATION
30
PacketPushers.Net
Cloud Networking looks like......
• VMware vCloud
• vApps
• vCNS
31
PacketPushers.Net
Cloud Networking Gotchas
• network is subject to hugely bursty traffic and loads
• No one knows what sort of load / bandwidth / packet per second / concurrent flows the application needs.
• Hypervisor VMs are SLOW and LATENT compared to custom silicon
• Cascading failure in congestion events
32
PacketPushers.Net
Gotchas - Hardware Huggers
•networking is ‘addicted’ on hardware ( network hugging has a practical basis e.g. cabling, WAN, path analysis )
•hardware is needed but software more important.
•merchant silicon will change networking, especially in low end, but unlikely to commoditise in same way as servers
33
PacketPushers.Net
Gotchas - Vendors• vendors commit hundreds of millions to design
and manufacture of silicon on multi-year cycles
• Software undermines existing vendor strategies
• Firewalls: Palo Alto PanOS, Cisco ASA , Juniper SRX. Load Balancers: F5 TMOS, Citrix NetScaler. (consider Riverbed Stingray)
• Pricing is not aligned to requirement
‣ i.e. software pricing equivalent to hardware price
‣ assumes one for one replacement
34
PacketPushers.Net
Gotchas - HA
• You still need TWO appliances for HA
‣ but most applications are not HA
• LB’s, Firewalls, Routers are always HA because they are critical
‣ are they critical because one big unit in a single location
35
PacketPushers.Net
Gotchas - Server Teams• distributed software devices means
spreading load and configuration.
• Also mean more complexity.
• You must control “application sprawl” to maintain network integrity in switching & routing
• Server / VM teams MUST learn some Cloud Networking / Network teams MUST learn some Cloud Server
36
MPLS/WAN
RTR
Internet
FWL FWL
SVR SVR
RTR
FWL FWL FWL FWL
RTR RTRRTR
SVR SVR
FWL FWLSVR SVRSVR SVR
SVR
Physical Network Services
PacketPushers.Net
And so to SDN
• Devices like vCNS Shield, Edge and App are (relatively) feature simple.
• But might be Good Enough™
• If you follow the previous points you will realise that you need much better networking ....
37
PacketPushers.Net
Agenda
• Why your Network Guy Doesn’t Care About You
• Cloud Networking is not Virtual Networking
• Cloud Network Services
• Where is SDN ?
38
PacketPushers.Net
Define SDN
• Primary: Software configured networking
• Automated deployment
• Automated change
• Let the VM/Server do it’s own networking.
39
PacketPushers.Net
Any Changes ?
• Networking in still Networking
• Servers are still Servers
• SDN moves most networking into the “vSwitch”
• The Network Guy will control it
• You will need networking skills to SDN
40
PacketPushers.Net
Pre-Virtual Networking
41
SWSW
SW
SW
SW
SW
SW
SW
SW
SW Sw
SW
Core
Distribution
Access
Physical Network
42
SDN Network
43
SDN Network
44
Network Agent
vServer
vServer
vServer
vServer
vServer
vServer
Network Agent
vServer
vServer
vServer
vServer
vServer
vServer
Network Agent
vServer
vServer
vServer
vServer
vServer
vServer
Tunnel Fabric
Flow Forwarding
Ethernet/IP LAN Fabric
IP Fabric
VXLAN
PacketPushers.Net
vSwitch SDN (Today)
45
• vSwitch becomes an active network “agent” instead of a patch panel
• Flows not Packets
• Routing and Switching
• Load Balancing
• Edge Security
PacketPushers.Net
Controller Networks
46
East West LAN
SwitchesNetwork SDN Controller
OpenFlow
Controller Networking
47
East West LAN
SwitchesNetwork SDN Controller
OpenFlow
Quantum/OpenStack Configuration Controller
Orchestration Controller
Northbound SDN
Northbound SDN
Southbound SDN
North/South LAN
PacketPushers.Net
SDCC
48
• Cannot “software” a physical network but you can program a “software” network
• Network Agents move complexity to the edge
• Ubiquitous Network Services increases the overall network usefulness
• Vastly improved security
• Options for networking multiple clouds and bare metal servers
PacketPushers.Net
SDN Vendors• Real Products
‣ BigSwitch Networks
‣ NEC
‣ Midokura
‣ VMware/Nicira
• “Shipping”
‣ Nuage Networks (Alcatel/Lucent)
‣ Contrail (Juniper)
‣ VMware/Nicira
• Still Working on It
‣ Cisco (multi-product, multi-strategy)
49
PacketPushers.Net
My views on VMware NSX
• NSX delivers SDN strategy
• Works for Enterprise AND Service Providers
• NSX is solution for KVM. Hyper-V & bare metal future.
• NSX appears “software only” - expect network vendors to offer integrated solutions
50
PacketPushers.Net
SDN Reality• Unproven. Beta - 2013. Major Release 2014.
• Enterprise will find it hard to value (ITIL / ITSM disconnect)
• vSphere vs vCloud = Virtual vs Cloud Networking
• Server / Networking duty merge
• Rewiring of team & technical disciplines
• ITIL & ITSM Change management overhaul
51
PacketPushers.Net
SDN Closeout
• SDN delivers business outcomes
• SDN means MORE networking not less
• Servers <-> Networks will be tightly integrated as a technology and team structure will reflect that - “IaaT”
•52
PacketPushers.Net
About Me
• Host of Packet Pushers Podcast PacketPushers.net
• “Cloud Plumber” at Canopy Cloud Cloud Network Architect, Office of CTO
( Division of Atos )
• Blog - EtherealMind.com
• NetworkComputing.com (http://
networkcomputing.com/blogs/author/Greg-Ferro)
53