Transportní paketová infrastruktura poskytovatelů služeb

Transcription

1

2 Transportní paketová infrastruktura poskytovatelů služeb David Jakl Cisco Systems Engineer

3 Motivation: What are Service Operator Challenges? Explosive Bandwidth growth Static or reduced Budgets OTT services, video, mobility drive bandwidth, networks continue to grow Scalable Architecture Increasing Operational Complexity Managing 100s to 1,000 s of devices with different procedures, different Open Architecture user interfaces, different systems Simple, Uniform and Stagnant $ Revenue Competitive pressure, price erosion Need to capture new markets but time Architecture to deploy for new services is too slow Programmable, Open

4 Cisco Open Network Environment Agility Optimize Revenue $ APIs APIs Automated Always ON Intelligent Convergence Application Interaction VM On-Demand Services Anywhere Real-Time Analytics Core Fully Virtualized CORE NCS NCS EDGE Evolved Services Platform Access Policy Service Broker Business Intents Applications and Services Edge Service Orchestration Apps Service Catalog Access VM Evolved Programmable Network CDN VM VM / Storage Control Dynamic Scale Open and Programmable Seamless Experience Video Business Cloud Mobility

5 Agenda EPN 4.0 nv Satellite Autonomic Networking Zero-IP Autonomic Carrier Ethernet Summary

6 EPN 4.0

7 Cisco Evolved Programmable Network Leading the NFV / SDN Evolution Cisco s Open Network Environment EPN System Scope vgilan vfirewall vdpi vnat vbng vddos vslb Network Function Virtualization Pa rt of ES P a n d EPN (N etwork, Stora ge, Compute ) VM VM VM VM VM VM VM N etwork API s (REST) a nd Services Catalog ESP Cloud Orchestration Orchestration WAE Quantum PS Orchestration M u lti-la yer C ontrol, Service C haining a nd Policy En forceme nt Controllers, Collectors Cisco nv n Ligh t IP +O p tical Virtualized IOS-XR VM Virtual PE Virtualized Infrastructure Progra mmin g a nd Managing of Virtu al Resources onepk, OpenFlow, PCEP, N etconf/yang, BGP-LS, GMPLS ME Series ASR 9XX NCS2000 NCS4000 ASR 9000 CRS NCS6000 Nexus UCS Physical Infrastructure Progra mmin g a nd M anagin g of Ph ysical Resource s

8 EPN System Overview Business Convergence Unified L3 VPN experience Seamless and Personalized BYOD remote access and VPN Access Enterprise FMC Corporate Residential FMC IP Consumer Convergence Unified Subscriber Experience Virtualized Netw ork Services Virtualized RR, PCRF, CPEs Integrated BNG, WAG, CGN Virtualized PGW, BRAS nv MPLS Ethernet Unified MPLS Transport AN uwav e ACM

9 EPN System Components AAA, PCRF Quantum Policy Server Unified Subscriber Experience Enterprise Fixed DHCP Cisco PNR Corporate Residential Fixed IP Mobile OpenStack MAG Orchestration NMS Fixed MAG Prime Network Provisioning & Performance LMA MPC Seamless Subscriber Mobility Fixed PCRF Virtualized Route Reflector Virtualized PGW, BRAS, CPE, VXLAN GW CSG : ASR 901 ASR 920 CPEs: vhn, CSR1000v, ISR, ASR1k FAN (PON, DSL, Ethernet) ME 4600, 2600 PAN-SE ASR-9001 Fixed Edge Converged DPI AGN-SE PAN-SE ASR-900X Fixed CGN CN CRS-3 Unified MPLS Transport AGN-SE PAN-SE ASR-900X Mobile Edge PAN ASR-903 FAN ASR 920 ME3600X NID ME-1200 FAN (PON, DSL, Ethernet) ME 4600, 2600

10 Unified MPLS: What Key Technologies Are Involved? RFC 3107 label allocation provides hierarchy for scale BGP Filtering Mechanisms enable the network to learn what is needed, where is needed and when is needed Seamless multicast integration with LSM and mldp Flexible Access Network Integration options: MPLS (Labeled BGP Extension, LDP), Ethernet, nv Remote LFA FRR and BGP PIC for seamless intra- and inter-domain high availability Contiguous and consistent Transport and Service OAM and Performance Monitoring Autonomic Networks for Unified MPLS Self Organization, Microwave ACM for Unified MPLS network self-correlation Auto-IP address assignment and dynamic change Virtualized L2/L3 Services Edge with PW Headend

11 Unified MPLS Transport Single AS, Multi-Area LSPs between Remote Access Node Loopback LDP Label BGP Label Service Label Next-Hop-Self Next-Hop-Self Next-Hop-Self Next-Hop-Self Control Next-Hop-Self ibgp IPv 4+label ibgp IPv 4+label ibgp IPv 4+label ibgp IPv 4+label ibgp IPv 4+label Imp-Null Access IGP Domain Aggregation IGP Domain Core IGP Domain Aggregation IGP Domain Access IGP Domain AN PAN-ABR Inline-RR CN-ABR Inline-RR Central RR CN-ABR Inline-RR PAN-ABR Inline-RR AN ibgp ibgp ibgp ibgp ibgp MTG push swap pop push swap pop push swap pop push swap pop push swap swap swap swap swap pop push Forw arding LDP LSP LDP LSP LDP LSP ibgp Hierarchical LSP Service LSP LDP LSP LDP LSP

12 Unified MPLS BGP Control Plane Single AS, Multi Area IGP, labeled BGP Access Unified MPLS Transport Inline RR NHS Inline RR NHS External RR RR Inline RR NHS IPv4+label PE ibgp IPv4+label IPv4+label ABR ibgp IPv4+label ibgp IPv4+label IPv4+label PE BNG, MSE Example: IP RAN VPNv4 Service Inline RR Inline RR External RR RR Inline RR VPNv4 PE CSG ibgp VPNv4 ibgp VPNv4 ibgp VPNv4 VPNv4 PE MTG (EPC GW) Access Network Aggregation Network Core Network Service Edge Node (BNG, MTG ) IP/MPLS Transport IP/MPLS Transport IP/MPLS Transport Access Nodes Fiber or uwav e Link, Ring Aggregation Node Aggregation Node DWDM, Fiber Rings, H&S, Hierarchical Topology Core ABR Core ABR DWDM, Fiber Rings, Mesh Topology

13 Optimal Routing with BGP Accumulated IGP AN ibgp IPv 4+label Access IGP Domain PAN-ABR Inline-RR NHS ibgp IPv 4+label Aggregation IGP Domain CN-ABR Inline-RR NHS Core IGP Domain CN-ABR Inline-RR ibgp ibgp AIGP=5 Total Cost = 10 Traffic Forwarding AIGP=10 Total Cost = 15 LDP LSP LDP LSP LDP LSP Default BGP best path calculation based on IGP cost to next-hop only Next-hop s IGP cost to destination ignored leading to suboptimal routing BGP AIGP enhances BGP best path calculation by accounting for both cost to next-hop and next-hop s cost to reach destination Eliminates sub-optimal routing ibgp Hierarchical LSP

14 MPLS Resiliency Solution: LFA and Remote LFA LFA simplifies management of the underling infrastructure Backbone When no local LFA is available a node dynamically computes its remote loop free alternate node(s) Done during SFP calculations using PQ algorithm (see draft) The node automatically establishes a directed LDP session to the remote node The directed LDP session is used to exchange labels for the FEC in question C1 C2 A1 Directed LDP session C3 A2 C5 C4 On failure, the node uses label stacking to tunnel traffic to the Remote LFA node, which in turn forwards it to the destination Access Region

15 Remote LFA FRR - Protection C2 s LIB C1 s label for FEC A1 = 20 C3 s label for FEC C5 = 99 C5 s label for FEC A1 = 21 On failure, C2 sends A1-destined traffic onto an LSP destined to C5 Swap per-prefix label 20 with 21 that is expected by C5 for that prefix, and push label 99 When C5 receives the traffic, the top label 21 is the one that it expects for that prefix and hence it forwards it onto the destination using the shortest-path avoiding the link C1- C2. C1 X C2 99 A1 20 Backbone C3 A2 Directed LDP session X E1 C5 C Access Region

16 Ethernet Access: Hub-and-Spoke Topology MC-LAG with ICCP PE1 MC-LAG with PBB-EVPN PE1 ICCP-SM PE1 CE1 MPLS Core CE1 MPLS Core L2 VID X L3 VID Z CE1 MPLS Core L2 VID Y L3 VID Z PE2 PE2 PE2 Active/Standby mode Support both L2 and L3 service L3 service has two configuration options: IRB or L3 sub-interface Active/Active per-flow or per-service LB Support L2 service only with PBB-EVPN Support both L2 and L3 services (ELINE provisioned as ELAN) L2 service: per-vlan load balancing L3 service: active/active on both links

17 Ethernet Access: Ring and Mesh Topology G.8032 REP and REP-AG ICCP-SM (or STP-AG) CE1 VID X PE1 CE1 VID X PE1 CE1 PE1 RPL Link G.8032 Open Sub-ring CE2 VID Y R-APS VID X VID Y PE2 MPLS Core ALT port REP CE2 REP Edge No Neighbour VID Y VID X VID Y REP-AG REP-AG PE2 MPLS Core CE2 VID X VID Y PE2 MPLS Core Standard ring architecture for Ethernet and xpon access Legacy deployed prestandard Cisco solution ICCP-SM or MST/PVST- AG can address any L2 topology

18 Mobile Transport with Microwave ACM Access Network capable to adapt intelligently to uw capacity drops: IP/MPLS or Ethernet interface Aggregation Node Aggregation Node Policy Logic that updates IGP metric/g.8032 topology and H-QOS Y.1731 VSM signals Microwave Adaptive Code Modulation changes to Access Node MPLS Access Nodes adapt link IGP metric to new capacity triggering SPFs recalculation Ethernet Access Nodes trigger G.8032 failover below a certain capacity threshold Microwave Fading Y.1731 VSM Signals the Microwave link speed Optionally Access Node can change Hierarchical QOS policy allows EF traffic to survive despite drop of capacity

19 Multicast Architecture PIM v4/v6 Recursive mldp MP LSP Aggregation Node Mcast Receiv er Aggregation Node Core Node Core Node Acces IP/MPLS domain Aggregation Network IP/MPLS Domain Aggregation Node Core Network IP/MPLS Domain Aggregation Network IP/MPLS Domain Mcast Source Core Node Core Node Mcast Receiv er Mcast Receiv er Aggregation Node Core/Aggregation Network runs mldp Supports business mvpns Supports IP multicast for embms and IPTV Access/Pre-Aggregation Network runs PIM v4/v6 - with VRF route leaking for embms Enables embms and IPTV services to reach Access Nodes (enbs, DSLAMs) Sources distributed over BGP labeled unicast (v4 or v6) in Core and Aggregation and redistributed into Pre-Aggregation and Access IGP v6 processes Aggregation Node

20 EPN 4.0 DIGs

21 EPN MEF CE 2.0 Certified

22 nv Satellite

23 Traditional FTTx Access and Agg Network Carrier Ethernet Aggregation FTTx Access Network NNI UNI Customer Premises IP/MPLS Agg POP Ethernet Access MC-LAG Routed/ Bridged Trunk/vlan N:1, 1:1 IGMP-SN RG MSE BNG MST REP G.8032 EPL, EVPL, ELAN, EVLAN, MST,.1q tunneling w L2PT IGMP-SN IGMP filter Element Management Systems (Resource Manager, Service Manager, South/Northbound Provisioning, Troubleshooting)

24 FTTx Access and Agg Network nv Simplicity Carrier Ethernet Aggregation FTTx Access Network NNI UNI Customer Premises IP/MPLS Agg POP Ethernet Access MC-LAG Routed/ Bridged nv Satellite Trunk/vlan N:1, 1:1 IGMP-SN RG MSE BNG MST REP G.8032 One nv Satellite nv System nv Satellite nv Satellite nv Satellite EPL, EVPL, ELAN, EVLAN, MST,.1q tunneling w L2PT IGMP-SN IGMP filter Element Element Management Management System Systems (Resource Manager, Service Manager, OAM, South/Northbound Provisioning, Troubleshooting) Provisioning, Troubleshooting)

25 What is the nv Satellite Solution? A single logical switch/router built by interconnecting an ASR9K and one or more smaller satellite switches Satellite 1 ASR 9000 N x 10G Satellite 2 Satellite n N x 10G N x 10G One Virtual System

26 The Cisco ASR 9000v Overview nv Satellite to ASR9000 and CRS-3 host Power Feeds Single AC pow er feed; or Redundant +24vDC, & -48vDC Pow er Feeds 1 RU ANSI & ETSI Compliant LEDs Field Replaceable Fan Tray Redundant Fans ToD/PSS Output BITS Out 44x10/100/1000 Mbps Pluggables Full Line Rate Packet Processing and Traffic Management Wide range of ONS and TMG 1G SFP and 10G SFP+ optics supported, including copper, fiber, CWDM/DWDM 4x10G SFP+ Inter-Chassis Link Fabric Ports Plug-n-Play In-Band Management Automatic Discovery and Provisioning Co-Located or Remote Distribution Industrial Temp Rated -40C to +65C Operational Temperature -40C to +70C Storage Temperature

27 nv Satellite ASR 901 and ASR 903 Overview ASR901 Satellite Platform: Compact, Efficient & Hardened Device 1RU, 17.5 in x 1.72 in x 8.3 in (W*H*D) 12 Gbps switching capacity Redundant power and fans Low power consumption: <~50W Fits in 300 mm cabinets, 1RU Extended operating temp range -40 to 65 C Side-2-side cooling Interfaces* and Per-slot Density: Ethernet: 12 x GE ASR903 Satellite Platform: Compact, Redundant, Hardened 3RU, 6 interface slots 55Gbps throughput with 1st Gen RSP Redundant PSUs (<550W), FANs and RSPs Fits in 300mm cabinet (235mm deep), 19 EIA Extended operating temp: -40º to 65º C (DC) Interfaces* and per-slot density: Ethernet : 1x10GE and 8x1GE Interface *Only Ethernet Interfaces are supported

28 nv Satellite System High-Level Overview Satellite access port Satellite Auto Discovery and Control Protocol nv GigEthernet port Satellites have zero touch configuration Satellite Fabric Links (ICLs) One nv System ASR9000 Host A special XR nv image on a satellite switch to make it an ASR 9000 nv satellite Satellite Auto Discovery and Control Protocol (SADCP) makes satellite as virtual line card of the ASR 9000 Host From end user point of view, it s a single logical system ASR 9000 nv System. All management & configuration is done on the Host chassis Satellite and Host can be co-located or in different locations No distance limitation

29 nv Auto Discovery and Control Protocol Operation CPU Satellite Auto Discovery and Control Protocol MAC-DA MAC-SA Control VID Payload/FCS CPU Satellite One nv System ASR9000 Host Discovery Phase A CDP-like link-level protocol that discovers satellites and maintains a periodic heartbeat Heartbeat sent once every second to detect satellite or fabric link failures. CFM-based fast failure detection plan for future release. Control Phase TCP-Based control protocol used for Inter-Process Communication between Host and Satellite Get/Set style messages to provision the satellites and retrieve notifications from the satellite

30 nv Satellite and Host Data Plane Forwarding MAC-DA MAC-SA VLANs (OPT) Payload MAC-DA MAC-SA VLANs (OPT) Payload MAC-DA MAC-SA nv-tag VLANs (OPT) Payload Satellite One nv System ASR9000 Host On Satellite Ethernet frame received on access port Special nv-tag is added to frame Local xconnect between access and fabric port ( no MAC learning ) Packet is placed into fabric port egress queue and transmitted out toward Host On Host Host receives the packet on its satellite fabric port Maps frame to corresponding satellite virtual access port based on nv tag Packet processing is identical to local ports (L2/L3 features, QoS, ACL, etc all done in the NPU) Packet is forwarded out of a local port or satellite fabric port to same or different satellite

31 nv Satellite ID and Type Configuration Satellite Access Port Satellite 101 Satellite Fabric Link (ICL*) nv GigEthernet port One nv System ASR9000 Host Host nv configuration mode Define the Satellite Provide a unique Satellite ID Identify Satellite Type (e.g. asr9000v, asr901, asr903) Optional: Identify the Satellite Serial Number Optional: specify a MD5 password for any telnet activities with Satellite nv satellite 101 description satellite 101 at bldg 16, 3700 Cisco Way type asr9000v serial-number CAT G secret 5 $1$S9sddjds00/3495

32 nv Satellite Fabric Port and Access Port Mapping Configuration Satellite Access Port Satellite 101 Satellite Fabric Link (ICL*) nv GigEthernet port One nv System ASR9000 Host Define Satellite Fabric Port(s) Identify Satellite ID connected to Fabric Port Map Satellite Access Ports to Fabric Port Interface interface TenGigE 0/2/0/2 nv satellite-fabric-link satellite 101 remote-ports GigabitE 0/0/0-9

33 nv Satellite Interface Configuration Satellite Access Port Satellite 101 Satellite Fabric Link (ICL*) nv GigEthernet port One nv System ASR9000 Host Interface and Sub-interface CLI Example interface GigabitEthernet 101/0/0/1 ipv4 address interface GigabitEthernet 101/0/0/2.100 l2transport encapsulation dot1q 100 rewrite ingress tag push dot1q 2 All Satellite Configuration is done on the Host Satellite is a remote line card: Access ports have feature parity with ASR9K local ports nv Satellite interface naming follows the same local interface naming convention: sat-id / sat-slot / sat-bay / sat-port

34 nv Satellite Supported Network Topologies - Port Extender Single Home, Static Pinning Single Home, Fabric Link Bundle Satellite Satellite ASR9K/CRS-3 ASR9K/CRS-3 Dual Home to Cluster, Static Pinning Satellite ASR9K nv Edge Dual Home to Cluster, Fabric Link Bundle Satellite ASR9K nv Edge

35 nv Satellite L2 Fabric, Ring Topologies Extending satellite connection across a Layer 2 network A native 802.1Q tag is added to the Satellite-Host control and data plane protocol Expanding to support ring, & cascaded topologies Maintains the same plug & play operational simplicity Satellite Satellite Satellite CFM VLAN-A VLAN-B CFM Host A Host B Host A CFM/CCM used for fast failure detection* Satellite Host B Satellite Satellite Host * CFM/CCM for simple ring and cascading will be in future releases

36 nv Satellite L1 Dual Homing Solution Same satellite dual homed to two separate ASR9k Hosts Primary and Backup Each host has independent control channel with the satellite Satellite 1: Primary Host A Backup Host B Host A Satellite is notified which host is primary or backup Satellite honors the configuration from its primary host if there is conflict. Syslog message generated if conflict Satellite 1 Satellite 2 Host B E-ICCP Load balancing could be per satellite, or per satellite access port (in future releases) If satellite loses its primary host or link, failover occurs to its backup host Satellite 2: Primary Host B Backup Host A

37 Dual-Hosts nv Satellite Configuration Host1 Config: redundancy iccp group 1 member neighbor nv satellite system-mac 8478.ac47.dd90 nv satellite 101 type asr9000v redundancy host-priority 10 interface TenGigE0/0/2/2 nv satellite-fabric-link satellite 101 redundancy iccp-group 1 remote-ports GigabitEthernet 0/0/0-43 ICCP Redundancy Group Config Optional ICCP Group Sys MAC Config Host Priority Config for Satellite 101 Use ICCP Group 1 for Satellite 101 Dual Hosts Operation Host2 Config: redundancy iccp group 1 member neighbor nv satellite system-mac 8478.ac47.dd90 nv satellite 101 type asr9000v redundancy host-priority 20 interface TenGigE0/0/2/2 nv satellite-fabric-link satellite 101 redundancy iccp-group 1 remote-ports GigabitEthernet 0/0/0-43

38 Data Plane Encapsulation Ring/Cascading On the ring, one tag is not sufficient to identify both the Satellite and Satellite access port 802.1ah (mac-in-mac) encapsulation for Ring B-MAC identifies the Satellite or Host I-SID identifies the Satellite access port Switching decision at satellite: If MAC DA == My Satellite Chassis MAC, consume else continue on ring BVID in B-MAC bridging domain Untagged for SDCP control packet and CFM Single BVID for user data packet Different BVID for ring local multicast replication (Host ID) (Satellite ID) S102 S101 S103 Satellite Access Port ID Host 1 Host 2 DMAC: Host1 SMAC: S102 BVID I-SID Original Access Port Frame

39 nv Satellite Simple Ring Dual Host Configuration Host1 Config: nv satellite 101 type asr9000v redundancy host-priority 10 serial-number CAT1649U12B satellite 103 type asr9000v redundancy host-priority 20 serial-number CAT1521B1BY interface TenGigE0/0/2/0 nv satellite-fabric-link network redundancy iccp-group 1 satellite 101 remote-ports GigabitEthernet 0/0/0-6 satellite 103 remote-ports GigabitEthernet 0/0/0-5 Satellite 101 Config Satellite 103 Config Simple Ring Fabric Link, Redundancy, and Per Satellite Port Mapping Config Host2 Config: nv satellite 101 type asr9000v redundancy host-priority 20 serial-number CAT1649U12B satellite 103 type asr9000v redundancy host-priority 10 serial-number CAT1521B1BY interface TenGigE0/0/2/0 nv satellite-fabric-link network redundancy iccp-group 1 satellite 101 remote-ports GigabitEthernet 0/0/0-6 satellite 103 remote-ports GigabitEthernet 0/0/0-5

40 L2 Fabric Overview Supported Models L2 Fabric supports satellite connectivity across Ethernet Layer 2 domains Satellite Fabric Link Redundancy Single Physical Link with two VLAN/EVC Two Physical Links with one VLAN/EVC each Each Host L2 sub-interface is mapped to one satellite fabric port S101 S102 VLAN 10 VLAN 21 VLAN 11 VLAN 20 Layer2 VLAN EVC Transport Network Sub-interface terminating VLAN 10, 11 VLAN 10 VLAN 11 VLAN 21 VLAN 20 Host 1 Host 2 Transport VLAN (B-VLAN) is used for packet forwarding in the L2 cloud Native L2 (802.1q) handoff Sub-interface terminating VLAN 20, 21 DMAC: H1 SMAC: S2 BVID I-SID Original Access Port Frame

41 nv Satellite L2 Fabric Dual Host Configuration Host1 Config: nv satellite 101 type asr9000v redundancy host-priority 10 serial-number CAT1604B17B interface TenGigE0/0/1/0.10 encapsulation dot1q 10 nv satellite-fabric-link satellite 101 ethernet cfm continuity-check interval 10ms redundancy iccp-group 1 remote-ports GigabitEthernet 0/0/0-5 Satellite 101 Config Satellite 101 L2fabric VLAN Subinterface Config L2fabric VLAN EVC CFM/CCM Monitoring Satellite 101 L2fabric Dual Hosts Redundancy and Access Port Mapping Host2 Config: nv satellite 101 type asr9000v redundancy host-priority 20 serial-number CAT1604B17B interface TenGigE0/0/1/0.21 encapsulation dot1q 21 nv satellite-fabric-link satellite 101 ethernet cfm continuity-check interval 10ms redundancy iccp-group 1 remote-ports GigabitEthernet 0/0/0-5

42 nv L2 Multicast offload for MEF and Enterprise services Multicast Stream from core locally replicated at satellite nodes nv Satellite CPE CPE nv Satellite IGMP nv ring nv Host PAN-SE nv Host IGMP snooping Multicast replication offloaded from nv host to satellite Optimized BW utilization in nv ring IGMP snooping enabled on nv Hosts to learn active multicast receivers on nv ring Multicast membership information propagated to satellites via Cisco proprietary nv protocol Enables each satellite to perform multicast replication locally Both hosts receive same multicast membership requests from nv ring Send single copies of same multicast streams Each satellite replicates multicast traffic from only one selected nv Host and forwards to receivers

43 nv Satellite Service Activation Testing Satellite dataplane loopback testing for PM and service activation User configures nv virtual interface just as any L2/L3 interface or sub-interface on host Satellite Interface loopback is configured at Host interface GigabitEthernet 101/0/0/1 loopback internal Satellite ID 101 ASR9000 Host Tester Internal Loopback ASR 9000 nv System interface GigabitEthernet 101/0/0/1 loopback line Satellite ID 101 ASR9000 Host CE Line Loopback ASR 9000 nv System

44 Autonomic Networking

45 Deployment and Operations: Current Methodology Purchase Service Activation Installation (Truck Roll) Pre-Staging Handling Misconfigurations (Truck Roll) Management/ Customization 45

46 Autonomic Networking : The Vision Self-Managing Self-Configuring Self-Optimizing Self-Protecting Self-Healing

47 Circling back Thus, the most efficient workflow eliminates Pre- Staging and unnecessary truck rolls: Purchase Installation (Truck Roll) Service Activation Management/ Customization

48 The Autonomic Networking Infrastructure Zero-Touch Deployment Management/Customization (EEM / PRIME/ SDN controller) Security Network SUDI /UDI authentication Domain Certificates Autonomic Control Plane a Discovery Channel Discovery Service Discovery Consistent Reachability Autonomic Control Plane Indestructible, virtual out-ofband channel

49 The Autonomic Networking Infrastructure Explained New Device TFTP Server Discovered L2 cloud E-LINE E-LAN E-TREE Channel discovery Adjacency discovery Join AN Domain Proxy Device Rest of Autonomic Network Registrar Goal: Find the channel (VLAN) to communicate on Goal: Find Autonomic neighbors of the same domain, OR download Certificate from Registrar (post-authentication) Goal: Join AN Domain after Certificate download CA AAA TFTP 4 Autonomic Control Autonomic Plane Goal: Control Secure, Plane always available communication channel 5 Autonomic Processes Autonomic Processes Goal: Network embedded intelligence, Service Discovery Autonomic Processes

50 Configure a Registrar Router#configure terminal Router(config)#autonomic registrar Router(config-registrar)#domain-id cisco.com Router(config-registrar)# CA external/local Router(config-registrar)#external-CA url <> Router(config-registrar)#whitelist disk:whitelist.txt Router(config-registrar)#no shut Enter Autonomic Registrar Config mode Configure domain-id any name will do Choose either external or local CA Specify the external CA s url (if selected) Specify a local whitelist (Optional) Unshut the Registrar You re done If external-ca url is not specified, Registrar runs an IOS CA locally Can the whitelist be made optional? CA

51 Registrar Redundancy A Registrar in an Autonomic domain: validates new devices (whitelist) Hands out domain certificates 1 Registrar failure no new devices can join the autonomic domain Good practice to configure multiple registrars Registrar Registrar Registrars can be distributed no need to be neighbors Identical Configuration

52 Create a Whitelist Devices joining the domain must be validated before handing out certificates Create a whitelist (text file) of UDIs that are allowed to join Automatically generated by Cisco (from Bill of Sale) for new devices Updated by Customer for existing devices Load whitelist on the Registrar (manually) Cisco creates whitelist for New devices Registrar CSR1000v Purchase Bill of Sale Customer updates for Existing devices

53 Channel Discovery VLAN noted VLAN noted Michael Dark Layer 2 Cloud Registrar

54 Bring up Remote Sites: Channel Discovery Newly installed device is always passive Typically, VLAN based E-LINE services - each NID permits one VLAN Channel discovery helps discover the allowed VLAN ACP is kept separate from Data plane using QinQ service instance with fixed inner vlan = 4094 Third- Party Metro- Ethernet Cloud Probe for VLAN = 416 passes through Outer VLAN Inner VLAN NID only allows VLAN 416

55 Restricting VLAN Ranges with Channel Discovery Intent configured on registrar Flooded through network Router#configure terminal Router(config)#autonomic intent Router(config-intent)#acp outer-vlans Router(config-intent)#end Registrar

56 Domain Certificates Secure by Default Validate UDI against local whitelist Michael Dark Layer 2 Cloud Registrar

57 Autonomic Control Plane (ACP) Michael Dark Layer 2 Cloud Registrar Router # show autonomic dev ice UDI Dev ice ID Domain ID Domain Certificate Dev ice Address <UDI> Router-1 cisco.com (sub:) cn=router-1:cisco.com FD08:2EEF:C2EE::D253:5185:5472

58 Proxy Bootstrap Hi Michael, I m Steve. What do I need to configure to join? Nothing Welcome to AN. I ll be your guide. Steve Michael Dark Layer 2 Cloud Registrar

59 Bring up Remote Sites: ACP Autonomic Control Plane comes up using discovered channel CA IPv6 connectivity to Pre-Aggregation devices (ASR903) established Third Party Metro Ethernet Cloud FD08:2EEF:C2EE::D253:5185:547A FD08:2EEF:C2EE::D253:5185:5237

60 Tree-like Control plane build-up Virtual Out Of Band Channel (VOOB) Steve Michael Dark Layer 2 Cloud Registrar 60

61 Virtual Out Of Band Channel (VOOB) AAA Misconfig / Interface admin-shut Steve ` Michael Dark Layer 2 Cloud Registrar

62 Advantages of the Autonomic Control Plane (ACP) loopback VRF Secure Tunnel loopback VRF Completely self-managing No config Secure Separate (VPN) and Encrypted (IPsec) Independent of Routing Only depends on link local addresses Independent of Configuration Only certificate visible in sh running Visible Lots of show commands, debugs, etc. IPv6 link local IPv6 link local Use as a Virtual Out-Of-Band Channel

63 Connect the outside world to the ACP Connect Services: DNS, AAA, PnP etc. to ACP: CA AAA Serv er Third Party Metro Ethernet Cloud interface Gig0/3 autonomic connect ipv6 address 2000::10/64 end PnP

64 Connecting into the Autonomic Control Plane loopback VRF Secure Tunnel loopback VRF Like normal ip vrf forwarding command All devices on this interface have full access to ACP Can SSH, SNMP, etc to loopbacks Interface eth 2 autonomic connect ipv6 address 2000::10/64 Long term: Servers will be autonomic devices

65 Service Discovery Services automatically learnt by all the devices Note: These are services in the Autonomic domain context, not Global CA AAA Server PnP Router#show autonomic service Service IP-Addr Syslog 2000::1 UNKNOWN AAA 2000::1 UNKNOWN AAA Accounting Port AAA Authorization Port Autonomic registrar FD08:2EEF:C2EE::D253:5185:5472 TFTP Server 2000::1 UNKNOWN DNS Server 2000::1 UNKNOWN Third Party Metro Ethernet Cloud

66 Automatic Configuration Download Accomplish Config download using PnP server* or existing TFTP servers Bring up Services Third Party Metro Ethernet Cloud TFTP

67 Intent Distribution Intent = Business policy for the entire network or subset of the network SDN Controllers NMS Systems Automatic distribution of intent using the intent distribution protocol (IDP) Intent Timestamp/version is hot-potatoe-forwarded in the network constantly Steve Michael Registrar If timestamp > local intent timestamp pull in intent from neighbour

68 Virtualizing the Registrar: CSR1000v integration IOIOS XE-3.15 CA AAA Serv er CSR1000v PnP Network Operations Center (NOC) with CSR1000v VM acting as the Registrar

69 The Autonomic Networking Infrastructure Zero-Touch Deployment Management/ Customization (EEM / PRIME/ SDN controller) Security Consistent Reachability a Discovery

70 Device Support: SP, Enterprise and IoT Supported today: ASR 901, ASR 901s, ASR 903, ASR 920, ME 3600, ME 3800 Catalyst 2000, 3000, 4000, NG3k, IE 2000 Open Source: Secure Network Bootstrap Infrastructure (SNBI; part of OpenDayLight Helium release) Roadmap ASR 9000 ASR 1000, CSR 1000, ISR-G2, ISR-4000 (more to come)

71 Standardisation ANIMA Working Group: g/anima/ Early w ork A Framew ork for Autonomic Netw orking ork-framew ork Making the Internet Secure by Default NMRG w ork Autonomic Netw orking: Definitions and Design Goals ork-definitions Gap Analysis for Autonomic Netw orking Use case drafts: Those are used to derive requirements for the Autonomic Netw orking Infrastructure Autonomic Netw orking Use Case for Netw ork Bootstrap Autonomic Netw ork Stable Connectivity Autonomic Prefix Management in Large-scale Netw orks Solution drafts: An Autonomic Control Plane Bootstrapping Key Infrastructures Bootstrapping Trust on a Homenet (this is in homenet, not ANIMA) A Generic Discovery and Neg. Protocol for Autonomic Netw orking ol

72 References IEFT Drafts: See earlier slide OpenDayLight Project SNBI: Autonomic Networking Configuration Guide, Cisco IOS Release 15S Cisco IOS Autonomic Networking Command Reference

73 Auto-IP

74 Auto-IP Self assigning IP address LLDP based Auto-IP negotiation Assign unique IP address to node being inserted Neighboring nodes and inserted node negotiate physical link addresses Connectivity established to the new node without manual intervention to existing nodes Easy node insertion and IP address assignment in L3 rings

75 Auto-IP Solution Overview R1 non-owner Auto-IP negotiation R2 owner R3 owner non-owner For ring topology point-to-point links use /31 mask Both interfaces are equal before the insertion After the insertion, the owner and non-owner interfaces will be determined automatically depends on the adjacent Routers during the initial negotiation After the initial IP auto negotiation and IP address assignment, the owner interface will keep its IP address during any ring operation: insertion/removal/movement (stickiness) The non-owner interface could change its IP address based on its new neighbor accordingly during the ring operation

76 Auto-IP: Plug-n-Play for L3 MPLS Ring Initial state R1 non-owner, P= /31 R1 Insert non-owner new node P=0 R1 non-owner /31 LLDP negotiation P=1, auto-ip= R2 R2 Owner, P=2 non-owner, P= / /31 R3 Owner, P= /31 R3 owner P=2, curr-ip= R3 owner /31 On R2: interface GigabitEthernet0/3 mpls ip auto-ip-ring 1 ipv4-address interface GigabitEthernet0/4 mpls ip auto-ip-ring 1 ipv4-address On R2: interface GigabitEthernet0/3 mpls ip ip address auto-ip-ring 1 ipv4-address interface GigabitEthernet0/4 mpls ip ip address auto-ip-ring 1 ipv4-address

77 EPN Evolution Autonomic Carrier Ethernet

78 Introducing Autonomic Carrier Ethernet Networks Fully Distributed CP Balance Fully Centralized CP BGP T-LDP BGP RFC 3107 RSVP-TE MPLS LDP IGP IP BGP/SDN Autonomic IGP + SR Autonomic Networking + Segment Routing + SDN Minimal but sufficient distributed control plane intelligence with centralized intelligence on the SDN controller. SDN Controller APIs SDN Controller OpenFlow Access Aggregation

79 Autonomic Carrier Ethernet Architecture Components Autonomic Network: secure infrastructure, auto discovery, plug-n-play Segment routing: self-deployed and self-protected, dynamic, flexible traffic engineering SDN controller: service label provisioning, cloud integration [service label, SR label] NID [service label, SR label] 1 Service label SDN Controller 3 4 CE SR labels: optional 2 Autonomic CE1 Anycast SR label: 1001 Cloud Edge Auto-CE2 Core DC Access node Gateway/service node Anycast SR label: 5001 Auto-CE3

80 Transport Architecture Overview Segment Routing: IGP only, no need for LDP; IGP shortest path as baseline Any node to any node transport connectivity: SR node label Service node redundancy: anycast SR label Link or node protection with Topology Independent Fast ReRoute (TI-FRR): 50ms FRR in any topology IGP/SR Domain: single area or process Service Nodes Anycast label 1001 Core DC No IGP and LDP interaction, NO hierarchy BGP and LDP LSP 50msec auto TI-FRR

81 Inter-domain Transport Architecture BGP free option: SDN controlled Without Redistribution SR label stack: {local GW, remote GW, remote node} isolated IGP islands, no redistribution required, simple, scalable External SDN controller is used to provision the SR label stack SDN controller can learn the SR label stack via BGP-LS or via a simple pre-provisioned BGP Free option: no need for Hierarchical transport LSP s RFC 3107 SR label stack: [local GW, remote GW, remote node] A B: {GW1, GW2, B} = {1001,2001,2} CPE SR label stack vcpe 1 A SR Node label: IGP island CE CE1 2 SDN Controller Anycast SR label: 1001 GW1 Cloud edge CE3 Core DC SDN controlled cross-domain Anycast SR label: 2001 GW2 Anycast SR label: 5001 CE CE2 IGP island SDN Controller 1 B SR Node label: 2

82 Inter-domain Transport Architecture BGP free option: SDN controlled With Redistribution SR label stack: {remote GW, remote node}: isolated IGP islands, simple, scalable, optimized label stack All Service Nodes labels need to be visible by the Access Nodes: Redistribution is required External SDN controller is used to provision the SR label stack BGP Free option: no need for Hierarchical transport LSP s RFC 3107 CPE vcpe SR label stack: [remote GW, remote node] A B: {GW2, B} = {2001,2} 1 A SR Node label: 1 SR label stack 3 4 IGP island CE CE1 2 SDN Controller Anycast SR label: 1001 GW1 Cloud edge All Service Nodes anycast prefixes and SID s are redistributed within each CE region Core DC SDN controlled cross-domain Anycast SR label: 2001 GW2 Anycast SR label: 5001 CE CE2 IGP island SDN Controller 1 B SR Node label: 2

83 Cross-Domain: CE Transport to DC Network Data Center domain can be easily integrated with Carrier Ethernet Transport network Both the CPE/NID and the virtual PE are provisioned with SR label stack Carrier Ethernet and Data Center network perform MPLS label forwarding between NID and vpe CPE NID 1 NID label: 100 NID vpe: {1001, 2001, 100} vpe NID: {2001, 1001, 100} GW1 102 Service Nodes Anycast label 1001 Core GW:DC DC: SR domain vpe Service Nodes Anycast label 2001 Label: 100

84 Intra-domain Service Architecture P2P static Pseudowire provisioned by SDN controller or NMS Anycast SR label used to provide Service node redundancy TI-LFA leveraged to achieve 50ms FRR in any topology Service 1: E-line between two nodes Service 2: L3VPN with PWHE E-Line between Node1 and Node 2 [SR label, Service label] [{1001}, 60002] [{2}, 60001] From UNI on Node 1 to L3 VPN on redundant Service Node 1 Service label SR Node label: CE CE SDN Controller Service label 60001, SR Node label: 2 [{1}, 60001] [{1}, 60002] 101 Anycast label POP site /Cloud Edge (distributed DC) Core DC

85 Summary

86 Summary EPN 4.0 nv Satellite Autonomic Networking Zero-IP Autonomic Carrier Ethernet

87