layer 7 visibility for vcpe services - network · pdf fileclassic cpe devices are ... lte oob...
TRANSCRIPT
Sponsored By
Layer 7 Visibility for vCPE Services
Today’s Presenters
Gabriel Brown Senior Analyst Heavy Reading
Nicolas Bouthors Distinguished
Engineer, NFV & SDN, Qosmos
Moderator Presenter Presenter
Murray Cooke Network Computing Solutions Architect,
Intel Corporation
• Introduction – Heavy Reading
• Rationale for vCPE – Intel
• Importance of Layer-7 Visibility – Qosmos
• Q&A
Agenda
• Reduced deployment costs. In the vCPE model a single, lower-cost device can be installed on premises to replace several specialized devices. Reducing “truck roll” is especially useful for remote offices and international offices where it is costly to send technicians.
• Inject value into Enterprise WAN services. By virtualizing functions, such as
firewalls, IPS, and SBCs, that previously ran on dedicated on-premises equipment, operators can create a catalogue of software-based services that can be deployed on-demand by enterprise customers using self-service portals.
• Leverage economies of scale in COTS server market. Classic CPE devices are
already cost-optimized; however, there is an opportunity to benefit from the volume economics associated with standard off-the-shelf servers if they can be optimized to run VNFs from multiple vendors.
Why Virtual CPE? What are the Benefits?
Operator Service Description • Cloud VPN services launched Q1 2015 on Pan European IP network
• Automatic provisioning of service via customer console
• Virtualized networking functions run in OpenStack environment
• Progressive commercial service from an enterprise-focused provider
• Low cost Ethernet access device at customer premises
• Virtual CPE functions running on/behind IP edge router
• Pre-commercial trial of virtual CPE underway
• Automatic provisioning of VPN services via customer console
• Multivendor deployment using a cloud orchestration tool
• Based on AT&T’s “Network on Demand” platform
• White-box devices on premises; Leverages SDN for service config.
• Multivendor deployment; Currently in advanced trial-phase
• True cloud-based SSL VPN targeted at smaller office locations
• Wide-range of cloud-based virtual network services
• Reports significantly reduced service provisioning times
Virtual CPE / Cloud VPN Service Offers
Classic & Virtual CPE Models
NID (Low Cost Access Device)
Operator Network
IP Edge
Data Center
IT XaaS Web Filter
NAT DDoS IPS/IDS
Firewall Router
CPE VNFs
Customer Premises
IP Edge
Data Center
(L3 Access Device w/ compute )
IT XaaS Other VNFs Firewall
Router
CPE VNFs
WAN Acceleration
Multiple Physical Appliances
IP Edge
Data Center Web Filter NAT
DDoS IPS/IDS Firewall Router
Switch
IT XaaS
MPLS/Ethernet/IPsec/SSL VPN
Classic Model “CPE Stacking”
Single “Smart” CPE
Basic “Thin” CPE
• Monitoring/reporting via a service dashboard or portal. Typical requirements are for usage monitoring and metering, service assurance, SLA monitoring, accounting, and compliance
• Layer 7 firewall capability. Enterprise may want to either block or rate-limit certain types of traffic (bittorrent, for example) or manage the QoE of certain users or applications
• VNF service chaining. Optimize the use of Layer 4-7 VNFs in enterprise WAN scenarios by directing only the flows that need processing by a particular VNF into the correct processing path
3 Key Use-cases for Layer-7 Visibility
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16
Murray Cooke
Network Computing Solutions Architect
February 2016
NFV vCPE Solutions
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 9
Legal Disclaimer
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL
PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY
WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO
FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS
FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS,
AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY
CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR
WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or
"undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change
without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available
on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families: Go to: Learn About Intel® Processor
Numbers
Intel, the Intel logo, Itanium, Intel Atom, Intel Xeon Phi, Intel AppUp, and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2016 Intel Corporation. All rights reserved
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 10
Agenda Intel’s Network Transformation Strategy
Portfolio of Enterprise vCPE solutions
Network Builders for Service Providers
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 11
DRIVE AN OPEN
ECOSYSTEM
INTEL® NETWORK
BUILDERS
ADVANCE OPEN SOURCE
AND STANDARDS
DELIVER OPEN
REFERENCE
ARCHITECTURES
Intel®
Architecture
Linux
KVM
COLLABORATE WITH
END USERS
INTEL TECHNOLOGY LEADERSHIP
Intel is Investing to Lead the Transformation
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 12
Transforming Enterprise Customer Premises
Equipment Accelerating Deployment and Service
Upgrade Times
Providing on Demand Software Service
Delivery through Customer Portals
Reduces costs
Enabling a “Trial Before Buy” Sales Model
Network
Edge
IPS VNF Firewall VNF WAN
Acceleration
VNF
CE Router
VNF
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 13
V E-Cpe Small Enterprise
Multi VNF 5 < 50 Users Router VM
C C C C
Intel® C25XX (Atom)
Firewall
Open VSwitch
Site Users 5 - 50
Switching Requirements
4Mbps – 140 Mbps
(for legacy TDM T1/E1 – T3/E3, DSL, or
OTL links)
Hardware Intel® C25XX (Atom)
Network Interface
TDM WAN and 100 MbE E LAN, 10MbE Mgmt
Crypto 4 – 140 Mbps, to suit WAN
Workloads 1-3 VMs from: vRouter, Firewall, WAN Acceleration, or Mgt probe VM
C C C C
Applicable for Small (SME) Premise/Office
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 14
Customer Premise located : C25xx
SGMII
Intel®
C25XX
88E1112
PHY
88E1112
PHY
Form Factor Pizza Box
Hardware Intel® C25xx (Rangeley); 2 to 8
Cores
88E1112 PHY
Network
Interface 1GbE WAN + LAN+ 1 Mgmt
Workloads 1-3 VNFs from : VPN, NGFW,
vRouter, Mgt VM
Legacy
Access I/F
(DSL, TDM
OTL)
1 x PCIE for Legacy WAN Add on
Card
Storage SATA3.0, SATA2.0 or SSD (80-
360G) via 1xPCIe
LTE OOB
Management 1 x PCIe
Security
options UEFI Secure Boot
Enterprise LAN
WAN
SGMII
Mag
Mag
80G
SSD
SATA
eSATA
Mgmt
Eth Mag Management Mini-
PCIe
X1 PCIe
Leg
acy
Mini-
PCIe
LT
E O
OB
Expansion Lanes For Legacy WAN Access and OOB Management (e.g. POTS, LTE) Options for Extended Local Storage and Extended Office Capabilities
SS
D
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 15
V E-Cpe Large Enterprise Multi VNF 50 Users < 500
Router VM
C C C C
Management VM
Firewall
Open VSwitch
Site Users 50 – 500
Switching Requirements
100Mbps- 3100 Mbps
(to suit 10MbE- 622M BPON Lines)
Hardware Intel® XEON D (Broadwell) Intel® X552 NiC 8GB Memory min.
Network Interface
DSL - OTL WAN and 100 GbE LAN, 1 Mgmt
Crypto As Per WAN
Workloads 2-4 VNFs from vRouter, IPSec, NG Firewall, IPS, WAN Acceleration, WAN Optimizer
C C C C
Intel® XEON D
Applicable for MNC and SME branch offices
C C C C C C C C
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 16
Customer Premise located : Xeon D
Intel® Broadwell
DE
Cortina* CS4227
Cortina* CS4227
Enterprise
WAN 80G
SSD
SATA
Springville 1210-IT
NC-SI
Mag Management
Mini-PCIe
X1 PCIe
Le
ga
cy
Mini-PCIe
LT
E O
OB
Chipset 89XX
X8 PCIe
NC-SI
SGMII, KR
Form Factors Pizza Box
Hardware Intel® Xeon-D, 4-16 cores Cortina* CS4227
Network Interface
10GbE WAN + LAN+ 1x1Gbe Mgmt
Workloads 2-5 VNFs: From IPSec, NGFW, vRouter, WAN Acceleration, SBC
Legacy
Access I/F
(DSL, TDM
etc)
x1 x PCIe
Storage SATA3.0 or SSD (80-360G) via 1xPCIe
LTE OOB
Management 1 x PCIe
Security
options
UEFI Secure Boot + TXT + 89XX (Coleto Creek) IPSEC acceleration
Niantic X552
Performance Benchmarking
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 17
DPDK Software Architecture
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 18
Intel® NETWORK BUILDERS VALUE
Lead, Disrupt, Innovate, and Scale via a robust and mature
ecosystem based on Intel Technologies to drive network
transformation
Technology Enablement
Marketing Match-making
Intel Network Builders Program
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16
Network Builders Facilities for Service providers
Sign-up as a member to leverage ecosystem benefits
https://networkbuilders.intel.com/endusersignup
PLAN
Network Builders University
Curriculum of technical course
offerings geared for end user
education.
Solutions Catalog
An extensive repository
showcasing products from
ecosystem vendors
Solution Briefs
Publication of technical collateral,
including blueprints of top use
cases
Deploy Member Portal
Wiki for connection to industry
experts, with Closed User Groups
for project communications
Custom Microsites
Custom sites developed for members
based on specific project
requirements.
Joint Development
Co-development opportunities for
optimization of reference solution
stacks
CONNECT Members only Industry Events
Meet with Industry leaders at key
summits, with state of the art panel
discussions, and video interviews
Focus Workshops
Face to face and hands on
workshops delivered to support
service providers.
Benchmarking, PlugFests
Prove interoperability with Multi
vendor Lab environments &
plugfests
Layer 7 Visibility for vCPE Services Webinar, 10th February ‘16 20
Summary Intel’s Network Transformation Strategy
Portfolio of Enterprise vCPE solutions
Network Builders for Service Providers
Placeholder Footer Copy / BU Logo or Name Goes Here
Poll #1 What proportion of new Enterprise Network connections in 2016 will use virtualised CPE?
• 0 to 5%
• 5 to 15%
• 15 to 50%
• 50 to100%
Layer 7 IP Classification for vCPE Services –
Use Cases
Nicolas Bouthors,
Distinguished Engineer - NFV & SDN
February 2016
Deployment Context for vCPE Services
Page 24
Regional Site
Regional Site
Remote
Site
SFC Services
Internal
Cloud Services External
Cloud Services
Focus is on flexibility for service delivery and cost reduction
VPN and vCPE services are linked
vCPE and data-center-based services are linked
IPSec
Operator Challenges with vCPE Services
Providing detailed application usage reporting to customers
Facilitating Service Function Chaining and data center troubleshooting
Enabling traffic visibility and control per subscriber and per application
Optimizing resources for service chaining and data-center-based services
Securing network traffic
Offering new Value-Added Services (e.g. content filtering)
Page 25
L7
Granular and continuous Layer 7 visibility
helps operators overcome challenges associated with vCPE services
Use Cases with L7 Visibility in the Network
Page 26
VPN Tunnels
Enterprise Site
Enterprise Site
BENEFITS
Optimization of services delivered to premises
based on subscriber and application
L7 reporting for operators and customers
L7 micro-segmentation for security
IMPLEMENTATION
L7 IP classification is part of data plane and
control plane; passive and inline
Configured using reference implementations
such as OpenStack or OpenDaylight
Network Headend
Service
Function
Service
Function
vSwitch
Virtual
Network
Function
Virtual
Network
Function
Data Center
Service Classifier &
Service Function
Forwarder
Layer 7 IP
Classification
Layer 7 IP
Classification
Use Cases Leveraging End-to-End L7 Visibility
Page 27
VPN Tunnels
BENEFITS
Enables subscriber-aware service delivery
Links VPN services and CPE services for
traffic prioritization
Extends the Service Chain domain to the
enterprise and data center
IMPLEMENTATION
Uses OpenDaylight and OpenStack
Extends iptables and Open vSwitch with Layer
7 IP Classification
Service
Function
Service
Function
vSwitch
Virtual
Network
Function
Virtual
Network
Function
Service Classifier &
Service Function
Forwarder
vSwitch with
conntrack
QoS NAT
Enterprise Site Network Headend Data Center
Layer 7 IP
Classification
Layer 7 IP
Classification Layer 7 IP
Classification
Examples of New Services Enabled by L7 Visibility
L7-based QoS / prioritization for VPN
Per subscriber / subscriber-class services
Support for end-to-end troubleshooting
Support for capacity upgrades
Inter-site L7-aware routing and firewalling
L7-aware East-West visibility for data-center-based services
Page 28
Layer 7 visibility is an essential ingredient of any vCPE strategy for both
equipment vendors and operators
Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos DeepFlow are trademarks or registered trademarks in France and other countries.
Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos
Non-contractual information. Products and services and their specifications are subject to change without prior notice
© Qosmos
Poll #2 Which L7-enabled VAS do you think will be most important to vCPE customers?
• Customer reporting & dashboards
• Traffic shaping for Quality of Service
• L7 Firewall
• Service Chaining
• Other
Q&A
Gabriel Brown Senior Analyst Heavy Reading
Nicolas Bouthors Distinguished
Engineer, NFV & SDN, Qosmos
Moderator Presenter Presenter
Murray Cooke Network Computing Solutions Architect,
Intel Corporation