Fostering the Evolution of Network Based Cloud Service Providers.

CloudVPN Fostering The Evolution of Network-Based Cloud Service Providers.

Bart Van de Velde Sr. Director, Engineering, Chief Technology & Architecture Office

MPLS SDN NFV Congress - Paris

© 2015 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Agenda

•  Introduction •  CloudVPN Use Case

•  CloudVPN Architecture

•  CloudVPN as a Servive Delivery Platform

•  Summary

2

CloudVPN – A Programmable Platform for SP’s to evolve their VPN offerings with Cloud integration at a lower TCO (agility, automation, simplification) and low marginal cost achieved through Virtualization and SDN enablement.

© 2015 Cisco and/or its affiliates. All rights reserved. PSOPS-2455 Cisco Public

User ≠ One Size Fits All New Solutions Demand More Flexible & Comprehensive Offerings that Interoperate with Existing Equipment inclusive of hardware and software.

On-Demand Bandwidth & Capacity

Big Data & Analytics Rapid Deployment of New Business Applications

Anywhere/Anytime Secure Accessibility

User Experience, Delivered

Open Solutions

Seamless Connectivity

One Stop Shop

UX & Multi-Platform

On-Demand Solutions

The New Customer Requirements

PAYG Models

Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

The Starting Point: Unique Opportunity of the SMB Market An Excellent starting point to evolve Business Services Models

Modular Architecture: Low Cost Customization

Cloud Services Delivers on New Buy Models Demands & Cycles

Variability in Vertical, Size & Offering Needs, Buy-Cycle; One-Size Does Not Fit All


SDN, NFV and Orchestration Creating the Change Platform

Orchestration Automation, provisioning and interworking

of physical and virtual resources

Service Orchestration

NFV SDN

SDN Separation of control and data plane

NFV Network functions and software running on any open standards-based hardware

The Time is NOW to put SDN , NFV, and Orchestration into Action

Services Platform


The Mission: Service Provider Business Transformation

AUTOMATION, VIRTUALIZATION AND ORCHESTRATION ARE REQUIRED…HOW?

Virtualized Resource Pools

(network ready compute/storage)

Virtualized Network Functions Secure Overlays

Dynamic Set-Up, Tear Down and

Provisioning

On-Demand Workload Movement with Service Profiles

Data Center

Network Workload Portability

Orchestration

Full Access to Resource Pools

Anywhere

Cloud Services

Cost Reduction and Agility Delivers Profits


Agenda

•  SDN, NFV & Orchestration

•  CloudVPN Use Case •  CloudVPN Architecture

•  CloudVPN as a Service Delivery Platform

•  Summary

8


xDSL

GPON

FTTX

Mobile

xDSL

GPON

FTTX

Mobile

xDSL

GPON

FTTX

Mobile

R2

R1

R1

R1

Goal: Multi-tenant Virtual Private Network+Cloud

Virtual Private Cloud ( VPC ) Logical design automatically created

within the WAN and Cloud Data Center self-service creation and modifications

animated


CloudVPN – Key Focus Areas

•  Self Service – Catalog Driven

•  Address Small [branches] of the large [enterprises]

•  Remote Worker, SOHO, Distributed Sites (hospitality, retail)

•  One Offering: Integrate VPN with Cloud Services

•  Lower TCO (agility, automation, simplification) via Virtualization & Cloud Management

•  Leverage existing SP Network Infrastructure

•  Shorter Time To Revenue with NO upfront CAPEX

•  Ability to bundle offers. SMB -> Mobile, Video, Smart business, security


Customer Experience in a Nutshell

Unbox & Plug-in

Service up and running

CPE ships

Orchestration happens!

Order Services


CloudVPN Business Services: Use Case 1: CloudVPN with Internet, Firewall (FW), Remote Access (RA)

Cloud IPVPN with FW and Remote Access to Internet !  vFW with NAT and Policy !  vFW with IPSec/SSL Remote

Access including Remote End-Host posture verification

CPE

CPE

CPE

Internet Router vFW

SP CLOUD Internet

Cloud-Hosted Management Scalable, elastic, on-demand

Overlay Packet Tunnels !  IPSec tunnels – mesh, hub&spoke

VR


CPE

CPE

CPE

SP CLOUD


Internet Router vFW VR

WSAv

CloudVPN Business Services: Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security

Cloud IPVPN with FW and Remote Access to Internet !  vFW with NAT and Policy !  vFW with IPSec/SSL Remote Access

including Remote End-Host posture verification

!  WSAv for Enhanced Web Security

Overlay Packet Tunnels !  IPSec tunnels – mesh, hub&spoke

Internet


CPE

CPE

CPE

SP CLOUD


Internet Router vFW VR

vNG-IPS

Internet

CloudVPN Business Services: Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS

Cloud IPVPN with FW and Remote Access to Internet !  vFW with NAT and Policy !  vFW with IPSec/SSL Remote Access

including Remote End-Host posture verification

!  vNG-IPS (SourceFire) for advanced threat protection and real-time contextual awareness

Overlay Packet Tunnels !  IPSec tunnels – mesh, hub&spoke;


Demo Time

15


Agenda

•  Introduction

•  CloudVPN Use Case


•  CloudVPN as a Service Delivery Platform

•  Summary

16


SP

VR CSR NED

VR_CSR

Other Network Services

vFW vASA NED

ISR NED

O/S virt infra mgr

Portal: Service

Consumer Self Service

Create

Deliver

Operate

Optimize

cisco

Network

Compute

Storage

Service DesignCreate

Deliver

Operate

Optimize

cisco

Service Design

My DeploymentsMy Designs

Deploy

Deployment Wizard

Select Scope

Engineering

New Folder

Testing Operator Self Service

vNG-Intrusion Protection

vSecWeb-WSAv

NC/YANG REST/XSD

vNG IPS NED

vSec Web NED

Customer VPN

BSS Systems

RC/YANG NC/YANG

VFW_vASA

ESC virt service

lifecycle management

netc

onfd

service models

device models

fastmap reactive fastmap

yang

ya

ng

yang

O/S component APIs

RC/YANG NC/YANG

RC/YANG NC/YANG

Config & Operation

java

Virtual Switch

netconfd

Virtual Switch

Model driven service consumer portal for self-service service lifecycle : create, modify,

redeploy, delete

NCS network service lifecycle management

ISR CPE

Csco PnP http

Csco CLI via SSH

Config & Operation

Discovery & Call Home

PnP Server (Call Home)

WAN network and Internet

CloudVPN End-to-End Architecture


Network Services Orchestrator (NSO) PnP Server

CloudVPN with ISR CPE Use Case

Elastic Services Controller (ESC)

Tenant Portal

REST API REST API

SP’s OSS/BSS

ISR CPE

PnP Functionality Zero Touch Provisioning

OpenStack

X86

Ser

ver

CloudVPN Connectivity up

Provision CSR

ISR CPE Shipped to Customer Site, connected & Powered ON

Customer Orders VPN Service

Provide Day 1 Configuration

Establish VPN: IPSec, IP Overlay (VXLAN, GRE, LISP), L2

DCI/PE

CSR1Kv

Spin up CSR


CloudVPN - Adding VNFs In The Cloud

Elastic Services Controller (ESC)

Tenant Portal

Network Services Orchestrator (NSO)

REST API REST API

SP’s OSS/BSS

ISR CPE

PnP Functionality Zero Touch Provisioning

OpenStack

CSR1Kv ASAv X

86 S

erve

r

Internet Gateway

vESA CloudVPN Connectivity up

If more VNFs are needed for a Service Chain ?

ISR CPE Shipped to Customer Site, connected & Powered ON

Customer Orders VPN Service

Provide Day 1 Configuration

Establish VPN: IPSec, IP Overlay (VXLAN, GRE, LISP), L2

PnP Server

DCI/PE

VTF

More scalable and flexible service chaining enabled with VTC & high-performance VTF

OVS


vFW

vDDoS

vR

CPE

CPE

CPE

vISE

InternetRouter

vWSA

6vIPVPN with BYOD, FW, RA, WebSec, DDoS- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security- vDDoS (Radware DefensePro) for volumetric and application DDoS visibility and mitigation services

6

vIPVPN with BYOD, FW, RA, WebSec, ngIPS- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security-vNG-IPS (SourceFire) for advanced threat protection and real-time contextual awareness

5

vWSA

vFW

vNG-IPS

vR

CPE

CPE

CPE

vISE

InternetRouter

vNG-IPS

5

vIPVPN with BYOD, FW, RA, EmailSec- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vESA for Critical Information Protection (inbound and outbound Emails)

4

vESA

vFWvR

CPE

CPE

CPE

InternetRouter

DMZ

emailserver?

4

vIPVPN with BYOD, FW, RA, WebSec- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)- vWSA for Enhanced Web Security

3

vWSA

vFWvR

CPE

CPE

CPE

vISE

InternetRouter

3

vWSA

vIPVPN with BYOD, FW and RA- vFW with NAT and FW policy.- vFW with IPSec/SSL remote access incl. remote end-host security posture verification.- vISE for BYOD svc auth (AAA, trust-sec label to IP binding)

2

vFWvR

CPE

CPE

CPE

InternetRouter

vISE

2

vIPVPN with FW and RA- vFW with NAT and FW policy.- vFW with IPSec/SSL Remote Access (RA) incl. remote end-host security posture verification.

1

vFWvR

CPE

CPE

CPE

InternetRouter

1

vWSA

vESA

vISE

vNG-IPS

vFW

vDDoSweb security applianceemail security appliance

identity services enginefire wall

intrusion protection systemddos mitigation services

vR

vLB

InternetRouter

router

load balancer

InternetRouter

Packet service nodes

L2L3

Termination points

tunnellocal link

Packet links

unclassifiedBYOD AAAhttp requestsemail (inside&outside)DDoS threat

IPSec/SSLIPS threat

Packet flows

CloudVPN Service Topologies


Operator Portal

User Portal

CloudVPN – Soft Real-Time Orchestration Loop

ISR CPE CSR

ESC

Openstack

CloudVPN Function Pack

NCS

ASAv

ISR CPE

ISR CPE

NETCONF Console

NCS CLI, NBI

Service models and implementation


ISR CPE CSR

ESC

Openstack

NCS

ASAv

ISR CPE

ISR CPE

CREATE SERVICE UPDATE SERVICE DELETE SERVICE

Changed network state (PnP, ESC notifs) trigger service redeploy

REDEPLOY SERVICE

FASTMAP

CloudVPN – Soft Real-Time Orchestration Loop

ESC and NCS Interaction allows for dynamic Service creation and Update


node.4node.3 node.5

network topology modelnode.1

node.2

nodeslinks termination_points

link.1

link.2

link.3 link.4

tp.1

tp.2

tp.3

tp.4 tp.5 tp.6 tp.7 tp.8

[Example of a network topology model]

CloudVPN – zooming in on the modeled Networking Layer


- S2S: inter-site VPN with CPE-to-VR tunnels;- RA: VFW with encrypted Remote Access (RA) incl. remote end-host security posture verification;- FW-INET: VFW with NAT44 and stateful FW policy for Internet connectivity;

CVPN-S2S-RA-FW-INET

VFWVR Internet

CVPN-S2S-RA-FW-INETnetwork service topology

RACPECPE

CPECPERA

RAC

RAC

VFWVR Internet

RACPECPE

CPECPERA

RAC

RAC

CVPN-S2S-RA-FW-INETpacket flows

unclassified

http requestsDDoS threat

SSLIPS threat

packet flows

NAT44’ed

WCCPv2 redirect, http only

IP fwding, static or dynamic routeSSL termination

ACL based forward

pkt processing & fwding

NAT44

local connection

tunnel connection

links

L2, Ethernet

L3, IPv6 and/or IPv4

termination points

[Example of a network topology model]


cpe-01

r2

esc-01

br-outside-01

Gig0/1

cisco-isr eth4.100

eth1

eth4

compute-01

cisco-ucs esc

ovs-network

Topology: dt_mvp1_underlayTags: sjc_lab, underlay

cpe-01

router-01

cisco-isr

ipsec_vpn

Topology: dt_mvp1_overlayTags: overlay

ipsec_tunnel

cisco-csr1000v

cpe tunnel

cpe-01 tunnel-01 router-01

uni cpe csr nni

Virto: myvpnTags: sjc_lab

vFirewall

VRFovs-

network

vWSA

vBridge

cisco-asa100V

cisco-vwsa

vBridge

ovs-network

Virtual Routercpe

br-01

bridge

bridge inside outside

wsa

router firewall firewall gateway

wsa-01

firewall-01 br-02

br-01

externalnetwork

internet

br-internet-01

IVRF

firewall-01

wsa-01

eth0

eth1

eth2

Gig1 Gig2

Gig1 Gig2

eth0

Gig0/1 cpe-01.Gig0/1 router-01.Gig1Gig1 Gig2

Unmanaged IP Network

tp2

tp1

eth4.101

eth4

eth1

tp3

module: virto +--rw virto [id] ... | +--rw topology-types? | | +--rw cvpnv:cloudvpn-virto? | +--rw tags* string | +--rw supporting-topology [id] ... | +--rw node [id] ... | | +--rw node-type? | | | +--rw cvpnv:cloudvpn-virto | | | +--rw cvpnv:cpe? | | | +--rw cvpnv:tunnel? | | | +--rw cvpnv:vRouter? | | | +--rw cvpnv:vFirewall? | | | +--rw cvpnv:vAAA? | | | +--rw cvpnv:vWSA? | | | +--rw cvpnv:vESA? | | | +--rw cvpnv:vIPS? | | | +--rw cvpnv:vDOS? | | | +--rw cvpnv:network? ... | | +--rw supporting-node* node-ref | | +--rw termination-point [id] ... | | +--rw function? ... | +--rw link [id] ... +--rw occupancy ...

Underlay

Overlay

Virto


Agenda

•  Key Focus areas

•  CloudVPN Use case


•  CloudVPN as a Service Delivery Platform •  Summary

26


Service Platform Characteristics Modularity & Interoperability " Reusable & flexible; interoperable components; consistent APIs & open interfaces

Open Innovation, Open Source, Standards "  Standardization & development of open, multi-vendor solutions

Scale & Simplify the Network "  Virtualization & programmability; multi-layer convergence &

interoperability, automated solutions

Increase Value for Partners, Customers, Users " New user experiences, faster time-to-market, new consumption & business models

Modular

Simple & Scalable

Standards- Based

Interoperable

Open

Multi-Vendor, Multi-Environment

Flexible Infrastructure; New Classes of

Applications

Open & Interoperable Solutions; Standards &

Open Source Modular & Reusable

Components


Generalized Orchestration Model

Operations and Life-Cycle management of infrastructure

Domain Controllers

Svc Producer Layer

Infrastructure Physical and Virtual

Operations and Life-Cycle management of Services

Cross Domain Service Lifecycle Orchestration

Principles !  Functional architecture

comprised of a layered, loosely coupled distributed system components

!  Functions can operate and evolve independently

!  Functions can be deployed in combination or isolation

!  Each layer abstracts the detail of what is below it from any functions above

Domain Controller or Orchestrator



API

Service Consumer Lifecycle Management

Svc Consumer Layer Consumer Facing Service

VIRTUAL NETWORK

FUNCTIONS

TENANT VMs PHYSICAL

PACKET / OPTICAL

NETWORK COMPUTE / STORAGE

Domain Domain


CloudVPN Model Driven Architectural Approach •  Services are driven with an E2E

Scope.

•  E2E Scope is model driven.

•  Models have both a Service and Device component.

•  Service-Network mappings bind Service Models to Network and Device Instantiations.

•  Models need to span across the multi-domain CVPN service path.

Prem Access WAN Compute

CPE

L2NID MX ISR

Metro VNF

Service Chaining

ME36xx 9K CRS 3rd Party

CSR vASA …

Service Models

Svc-Ntwrk Models

Device Models

NCS

Service Definition Service Definition

Service Definition

Router VNF

x86

…


Business Operations, BSS

All Access

MSAN

OLT

LTE Data Center

User Area

DC

Packet Network

DC

Internet&peerings&

So-&Real1Time&SDN&Orchestra9on&and&OSS&

Packet flows

Internet Services

Physical: IP Optical Network x86 Compute

Logical: IP and Overlay Transport (Virtualized) Service Creation

Converging to Software Driven Architecture – Addressing the Hunger Gap

Programmability: YANG over NETCONF, RESTCONF, RESTful , JSON

Control: Soft Real Time Network OSS Soft Real Time Compute Orchestration

Reduce Marginal Cost of Service Creation to ~0 Eliminate human operator intervention; Integrate custom IT back-end

S

D

N

Data Model

Driven Adaptation

devices topologies

topologies services

agents

plugins

controllers automation e2e services

abst

ract

ion

stac

k

deco

mpo

sitio

n

CloudVPN – A Programmable Platform for SP’s to evolve their VPN offerings with Cloud integration with a lower TCO (agility, automation, simplification) and low marginal cost achieved through Virtualization and SDN enablement.

Fostering the Evolution of Network Based Cloud Service Providers.

Technology

Transcript of Fostering the Evolution of Network Based Cloud Service Providers.