Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga...

15
Confiden(al – not for distribu(on Hardware Accelera+on in an SDN/NFV World: MRV POC with Charter Communica+ons AusNOG 2016 Lightning Talk John Jones ([email protected]) Sept 2, 2016

Transcript of Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga...

Page 1: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

HardwareAccelera+oninanSDN/NFVWorld:

MRVPOCwithCharterCommunica+ons

AusNOG2016LightningTalkJohnJones([email protected])

Sept2,2016

Page 2: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on 2

§  MRVNFVPOCwithCharterinDenver,Colorado.

§  WetookanMRVCarrierEthernetswitch,whichhasasiliconbasedpacketprocessorfor1and10GbpswirespeedCarrierEthernetservices,andweaddedanx86boardwhereweranmanagedrouter,managedsecurity,andmanagedSIPservices.

§  TheadvantagetoperformingNFVattheCPEisthatthesevirtualisednetworkfunc+onscanbehardwareacceleratedusingthepacketprocessorontheCPEitself.

Overview

Page 3: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

MRV’sMetro-Op1mizedSDN/NFVVision

Op+Packet®SDNIntelligentaggrega+onCOgatewayMul+-tenantVNFhos+ng

Op+Switch®AccessvCPEwith

Hardwareaccelera+on

Op+Switch®Liteprogrammable

CPEOp+Driver®SDNProgrammableOp+calTransport

Pro-Vision®applica+onsandcustomerportal

Pro-Vision®mul+-layerorchestra+onwithopeninterfacestoOSS,SDNcontrollersandNFVorchestrators

Op+Switch®CloudvCPE

Page 4: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

§  Access-op+mizedservercoupledwithpacketprocessorhardwareassist.

§  LatestIntelserverprocessors-lesspower,moreprocessingpower

-  Performanceop+ons:Low(ATOM)/Medium(I7)/High(XEON+DPDK,SR-IOV)

-  ExtendableRAM,SSD

•  Latestpacketprocessinghardwareassist,100M-10Gplaaormcapableofbringingupto44GfullwirespeedtotheNFVenvironment

§  BasedonOPNFVlatestrelease–Brahmaputra

–  Linux(Ubuntu14.10LTScloudserver)–  KVM,OVSforimprovedvirtualnetworking–  OpenStackLibertyRelease

§  ServiceChainingSupport

§  IntelligentoffloadofVNFforwardingtothehardware

§  Op+onfor4G/LTEwirelessbackup

EdgeNFV–vCPEattheCustomer’sPremises

4

Differen1a1ngelements:

•  Hardwareaccelera+onforVML2-L4forwarding

•  Fine-grainedQoS

•  Hardware-basedflowclassifierforefficientservicechaining

•  Zero-touch,remotedeploymentandserviceprovisioning

OS-VSeries

Page 5: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on 5

OS-V6ComputeNodeEnvironment

Ubuntu+vRouter-Quagga

VNF

PfSenseFirewallVNF

Ubuntu+vRouter

QuaggaVNF(Internet+IPSec)

FreePBX+AsteriskSIP

VNF

Ubuntu+KVM

OVS

Page 6: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on 6

§  ManagedWAN(router)–  Mul+plehubandspokesitesviaL3VPNservicesprovidedatCharterPE–  Mul+pleWANconnec+ons;combina+onofCharterandthird-partyconnec+ons–  BGP–  OSPF/IS-IS–  Dual-homedinternetservices

–  Aneyetoward/toSD-WANconcepts/capabili+es,e.g.,viaSD-WANVNFsuite(future)

§  Managedsecurity–  Unifiedthreatmanagementcapabili+es

•  An+virus•  Contentfiltering•  An+-spam

–  Off-footprintIPSectunnels,e.g.,overtheInternet

§  Managedvoiceservices–  SIPtrunksupport,e.g.,toChartervoiceservices–  OthersrequirementsTBD

§  ManagedCarrierEthernetMEFservices(op1onal)–  Valueaddovertheabovelayer3andsecurityfunc+ons,e.g.,viaHWaccelera+ontoMRVOp+Switch

•  MEFCE2.0Services–EPL,E-LINE,E-LAN,E-Access

ChartervCPEUseCase

Page 7: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

Demosetup

7

OpenStackController

OSv6CPE

BGP/VLANtoInternet

BGP/VLANtoInternet

pfSenseFirewall

OpenStackCompute 4

Quagga(Internet)

Quagga(L3VPN)

IXIATester

FreePBX+AsteriskSIP

BGP/VLANtoL3VPN

Labnetwork

PatchPanelSwitch

CO/POP1Emula1on

FuelJumpBox

CO/POP2Emula1on

Page 8: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on 8

Setup

vCPE POP1POP2Fuel Ixia

SIPPhone1

SIPPhone2

POPPatchPanelSwitch

Page 9: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

OpenStackusedastheVirtualInfrastructureManager(VIM)ofthesetup.UsingOpenStackHorizondashboard:§  Defineloca+onspereachcustomerandPoPsite

§  Images–whichimagesareinstalledandcanbeinstan+atedasVMs

§  Runninginstances–whichVMinstancerunsonwhichcomputenodeinwhichloca+on,ShowthatontheOS-V6wehave4VMsrunning:

TwoinstancesofQuagga,pfsenseFWandFreePBX§  Networktopology–howthevirtualtopologylookslike

OpenStackVIM

Page 10: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

Connec+ontothemanagementconsoleofthepfSensefirewallVM:§  Showtherules§  ShowtheIPSectunnel§  Disable/EnabletheIPSectunnel§  Enable/Disabletherules

Demo–VirtualFirewallFunc1onality

Page 11: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

DemonstrateFreePBXfunc+onalitybydialingtotheIPphonesconnectedtothesetup

Demo–VirtualPBXFunc1onality

Page 12: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

Demo–Layer2Protec1on

12

BGP/VLANtoInternetSTP

BGP/VLANtoInternet

DemonstrateL2protec+on.Whenoneofthephysicaluplinksisdisconnected,theL2protec+onswitchisperformedbySTPontheOS-V6andtrafficismovedtotheremaininguplink

Page 13: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

DemoStep5–L3Protec1on

1313

BGP1.1.1.1

BGP1.1.1.2

BGP1.1.1.3

eth1

eth2

L3protec+onu+lizingBGPfailover.WhenoneoftheVM’sBGPsessionsisdisconnected,theL3rerou+ngisperformedbyOS-V6VMLinuxandtrafficmovedtotheremainingBGPsession

Page 14: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

Demo–Mul1plevRoutersforSD-WAN

1414

BGP1.1.1.1 BGP1.1.1.2

BGP1.1.1.3

eth1

eth2

Demonstra+onoftheabilitytoruntwoindependentvRouterinstances,eachofwhichbuildsadifferentroute.OneQuaggainstanceservesasaL3-VPNendpointandcreatesarouteviaPoP1,whereasthesecondQuaggainstanceservesasanInternetconnec+vityendpointandcreateadifferentrouteviaPoP2.SincetheInternetconnec+vitymustbesecured,theInternetQuaggaischainedtothevFirewallthatencapsulatesthetrafficinanIPSectunnel.

IP-VPN

InternetoverIPSec

BGP1.1.1.4

Page 15: Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga (Internet) Quagga (L3 VPN) IXIA Tester ... § Enable/Disable the rules Demo – Virtual

Confiden(al–notfordistribu(on

[email protected]


Quagga Manual en Espanol

Quagga Manual en Espanol

ICTF15 PfSense IPS Firewall

ICTF15 PfSense IPS Firewall

Zebra & Quagga Mussels. Exotics: Zebra & Quagga Mussels Zebra & Quagga Mussels Zebra & Quagga Mussels –Dreissena polymorpha First Invader First Invader.

Zebra & Quagga Mussels. Exotics: Zebra & Quagga Mussels Zebra & Quagga Mussels Zebra & Quagga Mussels –Dreissena polymorpha First Invader First Invader.

Routing Quagga

Routing Quagga

Hacom pfSense Deployment Guide pfSense Deployment... · Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial

Hacom pfSense Deployment Guide pfSense Deployment... · Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial

Hardware Acceleraon in an SDN/NFV World: MRV POC with ... · Hardware Acceleraon in an SDN/NFV World: MRV POC with Charter Communicaons ... , pfsense FW and FreePBX

Hardware Acceleraon in an SDN/NFV World: MRV POC with ... · Hardware Acceleraon in an SDN/NFV World: MRV POC with Charter Communicaons ... , pfsense FW and FreePBX

Hacom's pfSense Quick-Start Guide pfSense... · Hacom's pfSense Quick-Start Guide.....1 Introduction ... Hacom implements pfSense on our hardware to take advantages of their features,

Hacom's pfSense Quick-Start Guide pfSense... · Hacom's pfSense Quick-Start Guide.....1 Introduction ... Hacom implements pfSense on our hardware to take advantages of their features,

Manual quagga

Manual quagga

manual de iptables pfsense

manual de iptables pfsense

Quagga - nongnu.org · Quagga A routing software package for TCP/IP networks Quagga 1.2.0 March 2017 Kunihiro Ishiguro, et al.

Quagga - nongnu.org · Quagga A routing software package for TCP/IP networks Quagga 1.2.0 March 2017 Kunihiro Ishiguro, et al.

Quagga - downloads.pf.itd.nrl.navy.mildownloads.pf.itd.nrl.navy.mil/ospf-manet/archive/quagga-0.99.17mr2...Quagga A routing software package for TCP/IP networks Quagga 0.99.17mr2.0

Quagga - downloads.pf.itd.nrl.navy.mildownloads.pf.itd.nrl.navy.mil/ospf-manet/archive/quagga-0.99.17mr2...Quagga A routing software package for TCP/IP networks Quagga 0.99.17mr2.0

Quagga Sculpture

Quagga Sculpture

Manual Firewall Pfsense

Manual Firewall Pfsense

VPN Pfsense

VPN Pfsense

pfSense Security Appliance EVALUATION REPORT · pfSense Security Appliance EVALUATION REPORT for Rubicon ... of the pfSense firewall distribution that is distributed on their ...

pfSense Security Appliance EVALUATION REPORT · pfSense Security Appliance EVALUATION REPORT for Rubicon ... of the pfSense firewall distribution that is distributed on their ...

Firewalling pfsense-part2

Firewalling pfsense-part2

Freeswitch on pfSense

Freeswitch on pfSense

PfSense Wireless Interfaces

PfSense Wireless Interfaces

PfSense Book 21draft.en.Es

PfSense Book 21draft.en.Es

pfSense Installation Slide

pfSense Installation Slide