Copyright 2013 Alcatel-Lucent. All rights reserved.@ssneddon

Scott SneddonPrincipal Solutions Architect, APAC Business Development LeadNuage Networks

A Policy Driven Approach to Software Defined Networking

SDN in 2014

OpenFlow Controllers

Network Virtualization

White Box Switching

Open Source Projects

Network as a Service

Plenty of Innovation and Disruption…

Why SDN?

Reduce Cost

Asset Utilization

Self Service

Automation

Make the network more “Cloud” like

We’re making great progress

The “Consumption shift”

Cloud is changing the way technology is being consumed

From “order and wait”

To “instant gratification”

Consumer expectations are shifting

Multiple personas

Single user

On-demand personalized catalogue

Compute is Virtualized

Available in Minutes

Network is Partially Virtualized

Configuration takes Days/Weeks

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request

completed in

Minutes

Help Desk

Change Control

IP

Address

VLAN

Address

Firewall

Configuration

LAN (VLAN)

Configuration

WAN (IP)

Configuration

Security / QA

Team

Project

Coordinator

Network Change

completed in

days/Weeks

00:01

Datacenter Network

Service velocity is hindered by manual network process

Network is “more” virtualized

Some things available in minutes – Some not so much

Many network elements are manually configured

Manual per-tenant network configurations

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request

completed in

Minutes

SDN Controller

Some Network

Change completed

In Minutes

00:01 00:01

Software Defined Datacenter Network

Service velocity accelerated, but…

Committees still build “networks”

Audits/reviews

In a NaaS environment (OpenStackNeutron, AWS, etc) this is delegated to the tenant

Is this what your DevOps team should be doing?

NetworkConfiguration

Software Defined Network Configuration

We’ve only addressed part of the automation problem

DevOps Team

VLAN

Address

IP

Address

WAN (IP)

Configuration

Firewall

Configuration

Network

Configuration

created in days/Weeks

Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups

neutron net-create web

neutron subnet-create web 10.0.0.0/24

neutron router-create router1 neutron router-add-interface router1 web

…

Not abstracted into a consumable model

OpenStack Neutron Networks

web

VM VM VM VM VM VM

app db

Puts the burden of topology design on the DevOps team

DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals

Should not be burdened with the implementation details Routes, Subnets, VLANs

The DevOps team needs an Abstracted view

A DevOps View

web

VM

VM

VM

app

VM

VM

VM

db

VM

VM

VM

Network Administrators need to…

Define connectivity models Paths

QoS

Access Control

Deploy service elements Firewall

Load Balancer

IPS

Audit compliance

Audit usage

A Network Admin View

Firewall

IPS

Parental Ctl

Firewall IPSParental Ctl

Internet

Policy Selector

chain 1 chain 2 chain 3chain 4

Policy approach to networking

Policy Templates

Users

Application Types

Business Rules

Policy Evaluation

Firewall

Firewall

W

BLBL

W

FirewallW W

Firewall

Firewall

W

BLBL

W

Firewall

Firewall

W

BLBL

W

BLBL

Design once, re-use multiple times

Application Networks

What is a network Policy?

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• An Application-centric approach to networking• Moving away from traditional network constructs

• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to

• express desired connectivity of application components• and express high-level policies governing that connectivity

• Without imposing constraints on the underlying implementation

Policy Abstractions for Neutron

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

Outside EPG

Web EPG App EPG DB EPG

VM

VM

VM

VM

VM

VM

VM

VM

Web Contract

App Contract

App Contract

Public Network

Private Networks

• Endpoint (EP) – an IP addressable entity• Endpoint Group (EPG) – a grouping of Endpoints• Policy Rule – individual rule that defines communication criteria• Contract – a collection of Policy Rules that are applied to traffic between EPG’s

In application development…

We first define the application through source code

We then compile the application into machine instructions

Then we bind that application to a platform at run time Assigning compute registers and memory locations

In a Policy driven network…

We first define the application’s connectivity requirements and business rules Application Policy

We then map this application to a network service Predefined network templates, network contracts

Then we implement these network services when the application is deployed Automated, Dynamic

To Achieve a Policy Driven Network

APPLICATIONATTRIBUTES

SDN FRAMEWORK

TOPOLOGYATTRIBUTES

Service Mapping

Service Binding

Application Request

TECHNOLOGYATTRIBUTES

web

V

M

V

M

V

M

app

VM

VM

V

M

web

V

M

VM

VM

web app db

To Achieve a Policy Driven Network

Policy Driven Networking Delivered

Nuage has provided policy abstractions for virtual and physical networks since our first release

L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics

Difficult to express using existing Neutron constructs…

Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron

Network Policy templates and role-based workflow

Compute Management

Tenant / Application RequestNetworking

Security/

Compliance

Service velocity is not hindered by manual network process

Auto-instantiation

Compute Request

completed in Minutes

00:01

IP address

WAN interconnect

Policy / Security Zones

L2 /L3 Service AD

Service chaining

Templates

Network Policy Engine

(Nuage Networks VSP)

Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …

Network Change

Completed automatically

00:01

Conclusions

• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but …

• Creates a distributed virtual configuration and management challenge

• Provisioning and management of these endpoints can not be done with traditional methodology

• Policy abstraction is a proven framework

• Nuage Networks has been shipping Policy Driven SDN since May 2013

For more information…

• Nuage Networks Virtualized Services Platform

• http://www.nuagenetworks.net

• OpenStack Neutron Group Based Policy Abstraction

• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• OpenDaylight Application Policy Plugin

• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin

208/29/2014

Network Policy NOW

@nuagenetworks

@ssneddon