København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A...

31
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. København 18. April, 2013 Software Defined Networking (SDN) i datacenteret Hans Donnerborg, [email protected] CCIE #1486

Transcript of København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A...

Page 1: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.

København 18. April, 2013

Software Defined Networking (SDN) i datacenteret Hans Donnerborg, [email protected]

CCIE #1486

Page 2: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Cisco Confidential Cisco Connect 2 © 2013 Cisco and/or its affiliates. All rights reserved.

“ Med SDN i datacentret er kanten af netværket flyttet fra at være noget, der styres på en fysisk switch, til at være en virtuel enhed inde i en server. Det har i flere år været muligt at anvende en Nexus 1000v switch med VMware’s hypervisor. Vi har nu support for Microsoft Hyper og yderligere hypervisors kommer til over den næste periode. Kom og hør om planerne samt hvilke features der tilbydes.”

Page 3: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Hvad er Software Defined Networking?

Many Definitions

•  Openflow •  Controller •  Openstack •  Overlays •  Network virtualization •  Automation •  APIs •  Application oriented •  Virtual Services •  Open vSwitch •  …

Page 4: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 4

 Test/forsøg med OpenFlow/SDN komponenter til fremtidens produktion

 ProgrammérbareAPI’er til indsigt i og kontrol af netværkstrafik

  Ensartet politik og en ensartet service leverance

  Virtuelle workloads, VDI, Styring af sikkerhedsprofiler

Kundesegmenter for programmérbare netværk

  Automatisering og programmérbare overlay netværk OpenStack

Page 5: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5

Cisco Open Network Environment

Åben API

Udvikling til platforme

IOS, IOS-XR og NX-OS

onePK (One Platform Kit)

Platform APIs

OpenFlow Agent Catalyst Serien (3K)

Controller software til SDN udvikling

Controller/Agenter

OpenStack

Nexus 1000V

Multi-Hypervisors

Overlay Virtuelle Netværk

Security

Page 6: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6

z

Cisco’s differentiering: Multi-lag Programmérbar

Netværkselementer

Analyse og Monitorering, Performance og Sikkerhed

OpenFlow/ SDN

Application Developer Environment

Open Network

Environment

Page 7: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7

Definitioner

“…I SDN er kontrol og data plane dekoblet. Netværksintelligens er logisk centraliseret, Netværksinfrastruktur er ikke synlig for applikationerne…”

Source: www.opennetworking.org

Opensource software anvendes i offentlige eller private Clouds; herunder Compute, Netværk og Storage services.

Source: www.openstack.org

Overlay netværk etableres på eksisterende infrastruktur (fysisk og / eller virtuel) ved brug af netværksprotokoller.

“…åben standard for udviklere til at eksperimentere med protokoller i netværk. Leverer standard tilgang, uden at kompromitere producentens operativ system…”

Source: www.opennetworking.org

Page 8: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8

OpenStack Core Projects

OpenStack Compute (Nova) Software to provision virtual machines on commodity hardware at massive scale

OpenStack Object Storage (Swift) Software to reliably store billions of objects distributed across commodity hardware

OpenStack Image Service (Glance) Services for discovering, registering, and retrieving virtual machine images

Page 9: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9

OpenStack Core Projects

OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

OpenStack Identity (Keystone) Provides “unified authentication” across all OpenStack projects and integrates with 3rd party authentication systems

OpenStack Network Service (Quantum) Provides “network connectivity as a service” between devices managed by other OpenStack services

Page 10: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

OpenStack APIs

Page 11: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Basic Quantum API Abstractions

Page 12: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12

Enables Multi Tier Network

VM 1 (Host A) Web Server

“External_ Network”

“App_Network”

“DB_Network”

VM 2 (Host A) Application VM 3 (Host B)

Database

Router

Page 13: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Physical | Virtual | Cloud Journey PHYSICAL

WORKLOAD VIRTUAL

WORKLOAD CLOUD

WORKLOAD

•  One app per Server •  Static •  Manual provisioning

•  Many apps per Server •  Mobile •  Dynamic provisioning

•  Multi-tenant per Server •  Elastic •  Automated Scaling

HYPERVISOR VDC-1 VDC-2

CONSISTENCY: Policy, Features, Security, Management, Separation of Duties

Nexus 1000V, VM-FEX

vWAAS, VSG, ASA 1000V, vNAM*

Nexus 7K/5K/3K/2K

WAAS, ASA, NAM

Cloud Services Router (CSR 1000V) ASR, ISR

Switching

Routing

Services

Page 14: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Server Virtualization Issues

1. vMotion moves VMs across physical ports—the network policy must follow vMotion (across racks, PODS, DCs)

2. Must view or apply network/security policy to locally switched traffic

3. Need to maintain segregation of duties while ensuring non-disruptive operations

Port Group

Server Admin

Network Admin

Security Admin

Page 15: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Where do we fit in that?

Physical Network

Hyper-V

Computing Platform

Hypervisor Multiple (vSphere, KVM,

Xen, open source)

System Center

Cloud Portal and Orchestration

Storage Platform

CIAC/ OpenStack/

Partners

Virtual Network Infrastructure

vPath

Nexus 1000V

Cloud Network Services L4-7

L2-3

WAAS NAM ASA 1000V NetScaler Partners VSG

Page 16: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

VM VM VM VM

Nexus 1000V VEM

VM VM VM VM

Nexus 1000V VEM

Nexus 1000V VSM

WS 2012 Hyper-V Nexus 1000V VSM

VMware vSphere

VMware vCenter SCVMM 2012 SP1

Consistent architecture, feature-set & network services ensures operational transparency across multiple hypervisors.

Cisco Nexus 1000V for Hyper-V

Page 17: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 17

Cisco Nexus 1000V for Hyper-V Operational Model with SCVMM

Networks & policies synced to SCVMM

Adds hosts to N1KV Connects VMs (VNICs) to

VM Networks

Nexus 1000V VEM

Server

Nexus 1000V VSM

Windows server 2012 Hyper-V

SCVMM

Create networks and policies (logical networks, network sites, VMnetworks)

SCVMM manages the placement and live-migration of the VMs based on the constraints between VM networks and the network sites.

VM VM VM VM

Page 18: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Cisco Nexus 1000V Architecture Utilizes Hyper-V Extensible Switch Platform

• Extensions process all network traffic, including VM-to-VM on the same host

• Forwarding Extensions can Capture and Filter Traffic as well

• Nexus 1000V will work with other 3rd party Capture and Filtering Extensions as well

• Live Migration and NIC Offloads continue to work even when the extensions are present

Capture Extension

Filtering Extension Nexus 1000V is is a Forwarding

Extension

Page 19: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Host Host Host Host Host Host

Logical Network

Microsoft SCVMM Networking Concepts Logical Networks and Network Sites

•  Logical Network represents a network with a certain type of connectivity characteristics (for eg. DMZ network, intranet, isolation)

•  An instantiation of a Logical network on a set of host-groups (for eg. hosts in a POD) is called a Network Site

•  Network sites can be defined based on physical network connectivity or based on isolating traffic to specific host-groups

19

Network Site

San Jose Seattle

Network Site Network Site

Page 20: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Microsoft SCVMM Networking Concepts Associating VNICs to VM Networks & Port-classifications •  Choose network

VM Network VM Subnet is tied to the Network (1:1)

•  Choose IP address type (DHCP or statically assigned)

Choose IP pool for static IPs

•  Choose Port Profile Classification Policy (QoS, Security, Monitoring) A Classification refers to a Port Profile

20

Page 21: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Current N1KV/ESX Version N1KV/Hyper-V Version

# port-profile db-client ip port access-group dbclient in no shut state enabled

# port-profile db-server ip port access-group dbserver in no shut state enabled

# network-segment db-network switchport mode access switchport access vlan 10

DB Clients DB Servers

DB Network

VM VM VM VM

# port-profile db-client switchport mode access switchport access vlan 10 ip port access-group dbclient in no shut state enabled

# port-profile db-server switchport mode access switchport access vlan 10 ip port access-group dbserver in no shut state enabled

Page 22: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 22

# network-definition DMZ_POD1

# network-segment DMZ_POD1_SUBNET1 switchport mode access switchport access vlan 20 ip-pool DMZ_POD1_Pool1 network-definition DMZ_POD1

# network-segment DMZ_POD1_SUBNET2 switchport mode access switchport access vlan 21 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1

# network-segment DMZ_POD1_SUBNET3 switchport mode access switchport access vlan 22 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1

Network site “DMZ_POD1”

VM Network DMZt_POD1_SUBNET1

VM Network DMZt_POD1_SUBNET2

VM Network DMZ_POD1_SUBNET3

•  A Network Site is a grouping of VM Networks that are always available together on the same host simultaneously

•  A host uplink can be configured to carry one or more Network Sites

Page 23: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23

vPath and Cloud Network Services

Virtual Machine Attributes

Por

t P

rofil

es

vPath

Virtual Machine Attributes

Por

t P

rofil

es

vPath

Page 24: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Cisco Nexus 1000V Pricing Will be consistent across hypervisors

Essential Edition •  VLAN, ACL, QoS •  VXLAN, vPath •  LACP •  Multicast •  Netflow, ERSPAN •  Management •  vTracker •  vCenter Plug-in

Advanced Edition •  Cisco TrustSec SXP support •  CISF: DHCP snooping, IP Source Guard,

ARP Inspection •  VSG

Essential Edition •  VLAN, ACL, QoS •  VXLAN, vPath •  LACP •  Multicast •  Netflow, ERSPAN •  Management •  vTracker •  vCenter Plug-in

Page 25: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 25

Cisco Nexus 1000V Architecture vPath and VXLAN

Nexus 1000V

Hypervisor

Nexus 1000V

Hypervisor

* To be released in CY13

Ethernet/IP Network Fabric

Cisco vWAAS N1KV VSM ASA 1000V Cisco VSG Citrix VPX* CSR1000V Imperva WAF*

Page 26: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

CSR Secure VPN Gateway

CSR 1000V

ISR

Distribution and ToR Switches

Servers

Data Center

ASR

CSR 1000V

Cloud Provider Data Center

  Integrating Enterprise & Cloud VPN policies

  Backhaul to data center increases latency

  Each cloud imposes different VPN type and scale limits

  Common VPN Types: IPSec, DMVPN, EZVPN, FlexVPN

  Routing based VPNs and private addressing

  Firewall, ACLs, AAA

  Direct, secure access. Avoids backhaul to data center.

  Familiar, reliable, and scalable VPN   Compatible with existing management

tools

Internet

Branch Location

WAN Router Branch

Location

ISR

Page 27: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27

Cisco’s Virtual Security Portfolio

• Virtual ASA provides consistent ASA feature set to secure the tenant edge

• VSG complements Virtual ASA to secure intra-tenant VM-to-VM traffic

• Solution provides:

  Increase flexibility and operational efficiency via vPath (Nexus1000V)

 Dynamic, context-aware, multi-tenant management via VNMC

Tenant B Tenant A VDC

vApp

vApp

vSphere Nexus 1000V

vPath

VDC

Virtual Network Management Center (VNMC) VMware vCenter

VSG VSG

VSG

VSG

ASA 1000V ASA 1000V

Page 28: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Overlays - VXLAN

VM VM VM VM VM

Page 29: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29

Nexus1000V InterCloud Securely Extend Enterprise Environment into Provider Cloud

Page 30: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

Cisco Cloud Lab - Hands On Training & Demos •  Hands on labs available for Nexus 1000V and VSG in Cloud Lab

https://cloudlab.cisco.com

•  Open to all Cisco employees

•  Customers/Partners require sponsorship from account team for access via CCO LoginID

•  Extended duration lab licenses for 1000V and VSG are available upon request

Page 31: København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31

Thank you.