fostering the evolution of network based cloud service providers
TRANSCRIPT
CloudVPN Fostering The Evolution of Network-Based Cloud Service Providers.
Bart Van de Velde Sr. Director, Engineering, Chief Technology & Architecture Office
MPLS SDN NFV Congress - Paris
© 2015 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
• Introduction • CloudVPN Use Case
• CloudVPN Architecture
• CloudVPN as a Servive Delivery Platform
• Summary
2
CloudVPN – A Programmable Platform for SP’s to evolve their VPN offerings with Cloud integration at a lower TCO (agility, automation, simplification) and low marginal cost achieved through Virtualization and SDN enablement.
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
User ≠ One Size Fits All New Solutions Demand More Flexible & Comprehensive Offerings that Interoperate with Existing Equipment inclusive of hardware and software.
On-Demand Bandwidth & Capacity
Big Data & Analytics Rapid Deployment of New Business Applications
Anywhere/Anytime Secure Accessibility
User Experience, Delivered
Open Solutions
Seamless Connectivity
One Stop Shop
UX & Multi-Platform
On-Demand Solutions
The New Customer Requirements
PAYG Models
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Starting Point: Unique Opportunity of the SMB Market An Excellent starting point to evolve Business Services Models
Modular Architecture: Low Cost Customization
Cloud Services Delivers on New Buy Models Demands & Cycles
Variability in Vertical, Size & Offering Needs, Buy-Cycle; One-Size Does Not Fit All
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
SDN, NFV and Orchestration Creating the Change Platform
Orchestration Automation, provisioning and interworking
of physical and virtual resources
Service Orchestration
NFV SDN
SDN Separation of control and data plane
NFV Network functions and software running on any open standards-based hardware
The Time is NOW to put SDN , NFV, and Orchestration into Action
Services Platform
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
The Mission: Service Provider Business Transformation
AUTOMATION, VIRTUALIZATION AND ORCHESTRATION ARE REQUIRED…HOW?
Virtualized Resource Pools
(network ready compute/storage)
Virtualized Network Functions Secure Overlays
Dynamic Set-Up, Tear Down and
Provisioning
On-Demand Workload Movement with Service Profiles
Data Center
Network Workload Portability
Orchestration
Full Access to Resource Pools
Anywhere
Cloud Services
Cost Reduction and Agility Delivers Profits
© 2015 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
• SDN, NFV & Orchestration
• CloudVPN Use Case • CloudVPN Architecture
• CloudVPN as a Service Delivery Platform
• Summary
8
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
R2
R1
R1
R1
Goal: Multi-tenant Virtual Private Network+Cloud
Virtual Private Cloud ( VPC ) Logical design automatically created
within the WAN and Cloud Data Center self-service creation and modifications
animated
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CloudVPN – Key Focus Areas
• Self Service – Catalog Driven
• Address Small [branches] of the large [enterprises]
• Remote Worker, SOHO, Distributed Sites (hospitality, retail)
• One Offering: Integrate VPN with Cloud Services
• Lower TCO (agility, automation, simplification) via Virtualization & Cloud Management
• Leverage existing SP Network Infrastructure
• Shorter Time To Revenue with NO upfront CAPEX
• Ability to bundle offers. SMB -> Mobile, Video, Smart business, security
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Customer Experience in a Nutshell
Unbox & Plug-in
Service up and running
CPE ships
Orchestration happens!
Order Services
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CloudVPN Business Services: Use Case 1: CloudVPN with Internet, Firewall (FW), Remote Access (RA)
Cloud IPVPN with FW and Remote Access to Internet ! vFW with NAT and Policy ! vFW with IPSec/SSL Remote
Access including Remote End-Host posture verification
CPE
CPE
CPE
Internet Router vFW
SP CLOUD Internet
Cloud-Hosted Management Scalable, elastic, on-demand
Overlay Packet Tunnels ! IPSec tunnels – mesh, hub&spoke
VR
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CPE
CPE
CPE
SP CLOUD
Cloud-Hosted Management Scalable, elastic, on-demand
Internet Router vFW VR
WSAv
CloudVPN Business Services: Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security
Cloud IPVPN with FW and Remote Access to Internet ! vFW with NAT and Policy ! vFW with IPSec/SSL Remote Access
including Remote End-Host posture verification
! WSAv for Enhanced Web Security
Overlay Packet Tunnels ! IPSec tunnels – mesh, hub&spoke
Internet
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CPE
CPE
CPE
SP CLOUD
Cloud-Hosted Management Scalable, elastic, on-demand
Internet Router vFW VR
vNG-IPS
Internet
CloudVPN Business Services: Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS
Cloud IPVPN with FW and Remote Access to Internet ! vFW with NAT and Policy ! vFW with IPSec/SSL Remote Access
including Remote End-Host posture verification
! vNG-IPS (SourceFire) for advanced threat protection and real-time contextual awareness
Overlay Packet Tunnels ! IPSec tunnels – mesh, hub&spoke;
© 2015 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
• Introduction
• CloudVPN Use Case
• CloudVPN Architecture
• CloudVPN as a Service Delivery Platform
• Summary
16
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
SP
VR CSR NED
VR_CSR
Other Network Services
vFW vASA NED
ISR NED
O/S virt infra mgr
Portal: Service
Consumer Self Service
Create
Deliver
Operate
Optimize
cisco
Network
Compute
Storage
Service DesignCreate
Deliver
Operate
Optimize
cisco
Service Design
My DeploymentsMy Designs
Deploy
Deployment Wizard
Select Scope
Engineering
New Folder
Testing Operator Self Service
vNG-Intrusion Protection
vSecWeb-WSAv
NC/YANG REST/XSD
vNG IPS NED
vSec Web NED
Customer VPN
BSS Systems
RC/YANG NC/YANG
VFW_vASA
ESC virt service
lifecycle management
netc
onfd
service models
device models
fastmap reactive fastmap
yang
ya
ng
yang
O/S component APIs
RC/YANG NC/YANG
RC/YANG NC/YANG
Config & Operation
java
Virtual Switch
netconfd
Virtual Switch
Model driven service consumer portal for self-service service lifecycle : create, modify,
redeploy, delete
NCS network service lifecycle management
ISR CPE
Csco PnP http
Csco CLI via SSH
Config & Operation
Discovery & Call Home
PnP Server (Call Home)
WAN network and Internet
CloudVPN End-to-End Architecture
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Network Services Orchestrator (NSO) PnP Server
CloudVPN with ISR CPE Use Case
Elastic Services Controller (ESC)
Tenant Portal
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality Zero Touch Provisioning
OpenStack
X86
Ser
ver
CloudVPN Connectivity up
Provision CSR
ISR CPE Shipped to Customer Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1 Configuration
Establish VPN: IPSec, IP Overlay (VXLAN, GRE, LISP), L2
DCI/PE
CSR1Kv
Spin up CSR
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CloudVPN - Adding VNFs In The Cloud
Elastic Services Controller (ESC)
Tenant Portal
Network Services Orchestrator (NSO)
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality Zero Touch Provisioning
OpenStack
CSR1Kv ASAv X
86 S
erve
r
Internet Gateway
vESA CloudVPN Connectivity up
If more VNFs are needed for a Service Chain ?
ISR CPE Shipped to Customer Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1 Configuration
Establish VPN: IPSec, IP Overlay (VXLAN, GRE, LISP), L2
PnP Server
DCI/PE
VTF
More scalable and flexible service chaining enabled with VTC & high-performance VTF
OVS
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
vFW
vDDoS
vR
CPE
CPE
CPE
vISE
InternetRouter
vWSA
6vIPVPN with BYOD, FW, RA, WebSec, DDoS- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security- vDDoS (Radware DefensePro) for volumetric and application DDoS visibility and mitigation services
6
vIPVPN with BYOD, FW, RA, WebSec, ngIPS- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security-vNG-IPS (SourceFire) for advanced threat protection and real-time contextual awareness
5
vWSA
vFW
vNG-IPS
vR
CPE
CPE
CPE
vISE
InternetRouter
vNG-IPS
5
vIPVPN with BYOD, FW, RA, EmailSec- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vESA for Critical Information Protection (inbound and outbound Emails)
4
vESA
vFWvR
CPE
CPE
CPE
InternetRouter
DMZ
emailserver?
4
vIPVPN with BYOD, FW, RA, WebSec- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security
3
vWSA
vFWvR
CPE
CPE
CPE
vISE
InternetRouter
3
vWSA
vIPVPN with BYOD, FW and RA- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)
2
vFWvR
CPE
CPE
CPE
InternetRouter
vISE
2
vIPVPN with FW and RA- vFW with NAT and FW policy.- vFW with IPSec/SSL Remote Access (RA) incl. remote end-host security posture verification.
1
vFWvR
CPE
CPE
CPE
InternetRouter
1
vWSA
vESA
vISE
vNG-IPS
vFW
vDDoSweb security applianceemail security appliance
identity services enginefire wall
intrusion protection systemddos mitigation services
vR
vLB
InternetRouter
router
load balancer
InternetRouter
Packet service nodes
L2L3
Termination points
tunnellocal link
Packet links
unclassifiedBYOD AAAhttp requestsemail (inside&outside)DDoS threat
IPSec/SSLIPS threat
Packet flows
CloudVPN Service Topologies
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Operator Portal
User Portal
CloudVPN – Soft Real-Time Orchestration Loop
ISR CPE CSR
ESC
Openstack
CloudVPN Function Pack
NCS
ASAv
ISR CPE
ISR CPE
NETCONF Console
NCS CLI, NBI
Service models and implementation
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
ISR CPE CSR
ESC
Openstack
NCS
ASAv
ISR CPE
ISR CPE
CREATE SERVICE UPDATE SERVICE DELETE SERVICE
Changed network state (PnP, ESC notifs) trigger service redeploy
REDEPLOY SERVICE
FASTMAP
CloudVPN – Soft Real-Time Orchestration Loop
ESC and NCS Interaction allows for dynamic Service creation and Update
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
node.4node.3 node.5
network topology modelnode.1
node.2
nodeslinks termination_points
link.1
link.2
link.3 link.4
tp.1
tp.2
tp.3
tp.4 tp.5 tp.6 tp.7 tp.8
[Example of a network topology model]
CloudVPN – zooming in on the modeled Networking Layer
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
- S2S: inter-site VPN with CPE-to-VR tunnels;- RA: VFW with encrypted Remote Access (RA) incl. remote end-host security posture verification;- FW-INET: VFW with NAT44 and stateful FW policy for Internet connectivity;
CVPN-S2S-RA-FW-INET
VFWVR Internet
CVPN-S2S-RA-FW-INETnetwork service topology
RACPECPE
CPECPERA
RAC
RAC
VFWVR Internet
RACPECPE
CPECPERA
RAC
RAC
CVPN-S2S-RA-FW-INETpacket flows
unclassified
http requestsDDoS threat
SSLIPS threat
packet flows
NAT44’ed
WCCPv2 redirect, http only
IP fwding, static or dynamic routeSSL termination
ACL based forward
pkt processing & fwding
NAT44
local connection
tunnel connection
links
L2, Ethernet
L3, IPv6 and/or IPv4
termination points
[Example of a network topology model]
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
cpe-01
r2
esc-01
br-outside-01
Gig0/1
cisco-isr eth4.100
eth1
eth4
compute-01
cisco-ucs esc
ovs-network
Topology: dt_mvp1_underlayTags: sjc_lab, underlay
cpe-01
router-01
cisco-isr
ipsec_vpn
Topology: dt_mvp1_overlayTags: overlay
ipsec_tunnel
cisco-csr1000v
cpe tunnel
cpe-01 tunnel-01 router-01
uni cpe csr nni
Virto: myvpnTags: sjc_lab
vFirewall
VRFovs-
network
vWSA
vBridge
cisco-asa100V
cisco-vwsa
vBridge
ovs-network
Virtual Routercpe
br-01
bridge
bridge inside outside
wsa
router firewall firewall gateway
wsa-01
firewall-01 br-02
br-01
externalnetwork
internet
br-internet-01
IVRF
firewall-01
wsa-01
eth0
eth1
eth2
Gig1 Gig2
Gig1 Gig2
eth0
Gig0/1 cpe-01.Gig0/1 router-01.Gig1Gig1 Gig2
Unmanaged IP Network
tp2
tp1
eth4.101
eth4
eth1
tp3
module: virto +--rw virto [id] ... | +--rw topology-types? | | +--rw cvpnv:cloudvpn-virto? | +--rw tags* string | +--rw supporting-topology [id] ... | +--rw node [id] ... | | +--rw node-type? | | | +--rw cvpnv:cloudvpn-virto | | | +--rw cvpnv:cpe? | | | +--rw cvpnv:tunnel? | | | +--rw cvpnv:vRouter? | | | +--rw cvpnv:vFirewall? | | | +--rw cvpnv:vAAA? | | | +--rw cvpnv:vWSA? | | | +--rw cvpnv:vESA? | | | +--rw cvpnv:vIPS? | | | +--rw cvpnv:vDOS? | | | +--rw cvpnv:network? ... | | +--rw supporting-node* node-ref | | +--rw termination-point [id] ... | | +--rw function? ... | +--rw link [id] ... +--rw occupancy ...
Underlay
Overlay
Virto
© 2015 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
• Key Focus areas
• CloudVPN Use case
• CloudVPN Architecture
• CloudVPN as a Service Delivery Platform • Summary
26
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Service Platform Characteristics Modularity & Interoperability " Reusable & flexible; interoperable components; consistent APIs & open interfaces
Open Innovation, Open Source, Standards " Standardization & development of open, multi-vendor solutions
Scale & Simplify the Network " Virtualization & programmability; multi-layer convergence &
interoperability, automated solutions
Increase Value for Partners, Customers, Users " New user experiences, faster time-to-market, new consumption & business models
Modular
Simple & Scalable
Standards- Based
Interoperable
Open
Multi-Vendor, Multi-Environment
Flexible Infrastructure; New Classes of
Applications
Open & Interoperable Solutions; Standards &
Open Source Modular & Reusable
Components
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Generalized Orchestration Model
Operations and Life-Cycle management of infrastructure
Domain Controllers
Svc Producer Layer
Infrastructure Physical and Virtual
Operations and Life-Cycle management of Services
Cross Domain Service Lifecycle Orchestration
Principles ! Functional architecture
comprised of a layered, loosely coupled distributed system components
! Functions can operate and evolve independently
! Functions can be deployed in combination or isolation
! Each layer abstracts the detail of what is below it from any functions above
Domain Controller or Orchestrator
Domain Controller or Orchestrator
Domain Controller or Orchestrator
API
Service Consumer Lifecycle Management
Svc Consumer Layer Consumer Facing Service
VIRTUAL NETWORK
FUNCTIONS
TENANT VMs PHYSICAL
PACKET / OPTICAL
NETWORK COMPUTE / STORAGE
Domain Domain
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
CloudVPN Model Driven Architectural Approach • Services are driven with an E2E
Scope.
• E2E Scope is model driven.
• Models have both a Service and Device component.
• Service-Network mappings bind Service Models to Network and Device Instantiations.
• Models need to span across the multi-domain CVPN service path.
Prem Access WAN Compute
CPE
L2NID MX ISR
Metro VNF
Service Chaining
ME36xx 9K CRS 3rd Party
CSR vASA …
Service Models
Svc-Ntwrk Models
Device Models
NCS
Service Definition Service Definition
Service Definition
Router VNF
x86
…
© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public
Business Operations, BSS
All Access
MSAN
OLT
LTE Data Center
User Area
DC
Packet Network
DC
Internet&peerings&
So-&Real1Time&SDN&Orchestra9on&and&OSS&
Packet flows
Internet Services
Physical: IP Optical Network x86 Compute
Logical: IP and Overlay Transport (Virtualized) Service Creation
Converging to Software Driven Architecture – Addressing the Hunger Gap
Programmability: YANG over NETCONF, RESTCONF, RESTful , JSON
Control: Soft Real Time Network OSS Soft Real Time Compute Orchestration
Reduce Marginal Cost of Service Creation to ~0 Eliminate human operator intervention; Integrate custom IT back-end
S
D
N
Data Model
Driven Adaptation
devices topologies
topologies services
agents
plugins
controllers automation e2e services
abst
ract
ion
stac
k
deco
mpo
sitio
n
CloudVPN – A Programmable Platform for SP’s to evolve their VPN offerings with Cloud integration with a lower TCO (agility, automation, simplification) and low marginal cost achieved through Virtualization and SDN enablement.