2. PROBLEMS TODAY IN NETWORKING
• Networks today are high touch, micromanaged
environments
• Network configuration is an “art” completely
divorced from the desired intent of the app
developer!
• Causes huge problems in scaling, coping with
failures, and interoperability
• SDN to date has not fixed this problem
2
3. TWO OPERATIONAL MODELS
Declarative Control
“Configure
acl”
“Let
my
web
servers
talk
to
my
app
servers”
“Allow
Host
A
to
talk
to
Host
B”
Faults
“Add
route
…”
Admin
“Trunk
vlan”
“Deploy
Applica-on
X”
Elements
Manager
pushes
configura-on
changes
to
devices.
Control
System
Imperative Control
“Will
Do”
Applicable
changes
made
3
4. COMPARISON TO THE SERVER WORLD – DEVOPS!
• The DevOps movement is largely
based on Declarative Policy!
• Millions of servers are managed in a
highly scalable manner
DevOps
LAMP Stack
MySQL Servers
Java App
Servers
• Time of the network to catch up!
4
5. COMPARISON TO TRADITIONAL SDN
Declarative Control
OpenFlow + OVSDB
Data Plane
Policy Mgr
APIC
Control
System
SDN Controller
Elements
Policy Mgr + Control Plane
Admin
Imperative Control
Protocols TBD…
Control + Data Plane
5
6. ADVANTAGES OF DECLARATIVE MANAGEMENT
Simple, abstract way of managing
infrastructure
Resiliency
Promise interfaces provide an easy
way to cope with failures
Interoperability
Device complexity / versions is
hidden from users and control
software
Ease of use
Self-documenting, easily automated
policies
How do we represent our declarations / policy?
Admin
“Let
my
web
servers
talk
to
my
app
servers”
“Allow
Host
A
to
talk
to
Host
B”
Faults
Scalability
Control
System
Key Advantages include:
Declarative Control
Elements
Declarative management (ie. Promise Theory) is the
voluntary cooperation of individuals or agents who
publish their intentions via commitments to each
other.
“Will
Do”
Applicable
changes
made
6
8. WHAT IS POLICY?
User Intent
Operational
Requirements
Cloud
Management
System
Infrastructure
Capabilities
Challenge:
How to capture user
intent through a
policy abstraction!
State of the
System
8
9. Simple provider-consumer
Or client-server relationship
or symmetric peer-to-peer
relationship like in a cluster.
I Invoke
governed by contract.
taboo
contract
I can speak french
EPG
?
you!
subject
I can talk about bees
EPG
…
Vous me rappelez
des abeilles! Blah
blah blah.
subject
contract
Providers
Peers
taboo
Consumers
Peers
9
10. WHAT IS AN APPLICATION?
App Tiers/Components
More than just a VM
each is a collection of
end-points with
semantically identical
properties
Interconnected components
internet
V
M
V
M
V
M
…
External
Private
Network
?
db
…
…
V
M
app
V
M
V
M
application
web
protected by
contract
membrane
10
11. NETWORK ENDPOINTS
à Things that connect to the fabric and use it to interface with other things
à A compute, storage or service instance attaching to a fabric
NIC
vNIC
IP
end-points [ EP ]
MAC
Network
Linux
Container
Namespace
11
12. NETWORK ENDPOINTS
à Things that connect to the fabric and use it to interface with other things
à A compute, storage or service instance attaching to a fabric
EP
EP
EP
.
.
.
A collection of end-points with identical
network behavior form a …
… end-point group [ EPG ]
All EPs share common properties
à
à
à
à
à
Connectivity
Security/Access control
QoS
Services
…
12
13. ENDPOINT GROUPS
GROUP APP SERVER
policies
GROUP WEB
EP
EP
EP
.
.
.
Allows to specify rules and policies on groups of
physical or virtual end-points without
understanding of specific identifiers and
regardless of physical location.
Can flexibly map into
à application tier of multi-tier app
à segmentation construct (ala VLAN)
à a security construct
à ESX port group
à …
… end-point group [ EPG ]
All EPs share common properties
à
à
à
à
à
Connectivity
Security/Access control
QoS
Services
…
13
14. CONTRACTS
GROUP APP SERVER
provider
…
contract
End points in group
WEB can access end-points in group APP
SERVER according to rules specified in the
contract
consumer
…
Allows to specify rules and policies on groups of
physical or virtual end-points without
understanding of specific identifiers and
regardless of physical location.
filter
GROUP WEB
EP
EP
.
.
.
filter
action
identifies subject to
which actions will be
filter
applied
…
EP
action
L4 port ranges
TCP options
…
filter
identifies actions applied to
the subject
action
QoS
Log
Redirect into SVC graph
…
action
defined bi-directionally in the “provider” centric way
14
15. EXAMPLE: THREE-TIER APP
infra shared services
Outside
Group DB
provide
provide
consume
sql contract
provide
provide
subnet
Group APP
consume
java contract
subnet
consume
provide
NW Private
Group WEB
web contract
NW Public
consume
consume
consume
provide
mgmt contract
L3 context
Bridge domain
Bridge Domain
Bridge Domain
15
17. OVERVIEW – DRIVING OPEN SOURCE POLICY
APP CENTRIC POLICY MODEL
•
•
Cloud Orchestration
Network
Neutron API for app centric policy
Future extensions to Heat / Nova / Horizon
•
•
•
Policy API support / extensions
Policy enforcement modules
Service redirection
APIC
Hypervisor / vSwitch
Application centric policy management through an open source software stack
17
18. GROUP-BASED POLICY IN OPENSTACK
Group-Based Policy Model Extensions (ACI-compatible)
Dashboard
Automation
GROUP POLICY MODEL
Compute
ACI Fabric
Networking
Storage
Merchant Silicon
OpenFlow
Software Overlay
Etc.
18
19. GROUP POLICY IN OPEN DAYLIGHT
Group Policy REST API
Affinity
“Native”
OpenFlow
ACI Fabric
Openflow, 3rd party
switches, …
Project currently in “Incubation” Status in ODL. See:
https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin
19
23. ACI BUILDING BLOCKS
FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI
NEXT GENERATION NEXUS—TRADITIONAL NETWORKS
OPEN RESTFUL APIS
CENTRALIZED POLICY MODEL
OPEN SOURCE
APIC
SIMPLE, SECURE
CONTROLLER
PRICE
APIC
POLICY MODEL RATE 9300
NEXUS 9500 and
BUILT-IN LINE
INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PERFORMANCE
PROGRAMMABILITY
POWER EFFICIENCY
SCALE OUT WITHOUT NX-OS
OPTIMIZED COMPROMISE
COMMON BUILDING BLOCKS - ACCESS AND CORE
INTEGRATED OVERLAY
40G NON-BLOCKING FABRIC
>_
>_
RESILIENCY:
IN SERVICE PATCHING,
UPGRADE, FAST RESTART
END POINT DIRECTORY
PORT DENSITY
50% SIMPLER
CODE BASE
ACI
FUTURE PROOF
UPGRADABLE
TO ACI
NETWORK
VIRTUALIZATION
SUPPORT
PROGRAMMABILITY
AND AUTOMATION
23
24. ACI: RAPID DEPLOYMENT OF APPLICATIONS ONTO
NETWORKS WITH SCALE, SECURITY AND FULL VISIBILITY
Physical
Networking
Hypervisors
and Virtual
Networking
Compute
L4–L7
Services
Storage
Multi DC
WAN and Cloud
ENABLED BY PHYSICAL AND VIRTUAL INTEGRATION
24
25. ACI OPEN APIS AND ECOSYSTEM
Automation
Enterprise
Monitoring
Hypervisor
Management
Systems
Management
Orchestration
Frameworks
OVM
REST API
APIC
Fabric-attached Device API
L4-7 Orchestration Scripting API
NORTHBOUND
PROGRAMMABILITY
LAYER
SOUTHBOUND
PROGRAMMABILITY
LAYER
APIC SUPPORTS A RICH ECOSYSTEM BUILT AROUND OPEN NORTHBOUND AND SOUTHBOUND APIS
25
26. HYPERVISOR SWITCH
• Develop extensions to Open vSwitch to support:
1. Policy enforcement
2. Service Redirection
3. Linux containers
4. Stateful services
26
29. MULTIPLE CONTRACTS
EPG APP SERVER
EPs in EPG WEB can NOT access EPs
in EPG APP SERVER on subjects (L4
ports) specified in these contracts
provider
mgmt contract
consumer
web contract
ssh contract
EPG WEB
EP
EP
EP
.
.
.
EPs in EPG WEB can access EPs in
EPG APP SERVER on subjects (L4
ports) specified in this contract,
subjected to actions in this contract
à Explicit white-list like model for specifying rules between groups
29
30. EPG CONSUMPTION LABELS
Outside
NW
Internet
web contract
http
provide
consume
EPG
WEB
For
Internet
https
NW
Intranet
consume
ftp
provide
EPG
WEB
For
Intranet
EPG Label
Allows to chose a group of EPGs behind the contract
“NW Internet” can only access “EPG WEB For Internet”
“NW Intranet” can access both “EPG WEB For Internet” and “EPG WEB For Internet”
30
32. WHY IS NETWORKING SO HARD?
à the rest is path optimization
YES You can talk about this:
{ subject*, L4 Ports, … }
A
NO You can’t
B
à End point A can talk to end point B
C
D
à End point C can’t talk to end point D
32
