Building NFV Solutions with OpenStack and Cisco ACI

Similar documents
Virtualization Design

Contents Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 50

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Cisco VTS. Enabling the Software Defined Data Center. Jim Triestman CSE Datacenter USSP Cisco Virtual Topology System

Virtual Machine Manager Domains

Cisco ACI Virtual Machine Networking

5 days lecture course and hands-on lab $3,295 USD 33 Digital Version

Service Graph Design with Cisco Application Centric Infrastructure

Cisco ACI Unified Plug-in for OpenStack Architectural Overview

MP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017

Cisco ACI Virtual Machine Networking

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

Layer 4 to Layer 7 Design

2018 Cisco and/or its affiliates. All rights reserved.

Cisco ACI with OpenStack OpFlex Architectural Overview

Cisco ACI Virtual Machine Networking

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

ACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU

Layer-4 to Layer-7 Services

Multi-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service

ACI Fabric Endpoint Learning

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)

Cisco IT Compute at Scale on Cisco ACI

Cisco ACI Multi-Site, Release 1.1(1), Release Notes

Cisco ACI Simulator Release Notes, Release 1.1(1j)

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Cisco Application Centric Infrastructure

Implementing VXLAN in DataCenter

Cisco ACI Multi-Pod and Service Node Integration

Cisco Application Policy Infrastructure Controller OpenStack and Container Plugins, Release 2.3(1), Release Notes

Cisco Application Centric Infrastructure Release 2.3 Design Guide

PSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco

Provisioning Overlay Networks

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

Cisco Virtual Topology System (VTS)

Cisco ACI Virtual Machine Networking

Design Guide for Cisco ACI with Avi Vantage

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Cisco Virtual Topology System Release Service Provider Data Center Cisco Knowledge Network. Phil Lowden (plowden) October 9, 2018

New and Changed Information

Integration of Hypervisors and L4-7 Services into an ACI Fabric

Kubernetes networking in the telco space

Project Calico v3.1. Overview. Architecture and Key Components

VXLAN Overview: Cisco Nexus 9000 Series Switches

Hybrid Cloud Solutions

Quantum, network services for Openstack. Salvatore Orlando Openstack Quantum core developer

Implementing Container Application Platforms with Cisco ACI

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Contrail Cloud Platform Architecture

Introduction to Neutron. Network as a Service

Question No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?

Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide

OPEN CONTRAIL ARCHITECTURE GEORGIA TECH SDN EVENT

Design Guide: Deploying NSX for vsphere with Cisco ACI as Underlay

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Quick Start Guide (SDN)

Cisco SDN 解决方案 ACI 的基本概念

Design Guide to run VMware NSX for vsphere with Cisco ACI

Cisco ACI Virtual Machine Networking

Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

Building a Platform Optimized for the Network Edge

Integrating Cisco UCS with Cisco ACI

Contrail Cloud Platform Architecture

Networking Domains. Physical domain profiles (physdomp) are typically used for bare metal server attachment and management access.

Use Case: Three-Tier Application with Transit Topology

Provisioning Overlay Networks

Quick Start Guide (SDN)

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Configuring Policy-Based Redirect

Cisco ACI Simulator Release Notes, Release 3.0(2)

Cisco ACI with Cisco AVS

OpenStack Networking: Where to Next?

Routing Design. Transit Routing. About Transit Routing

ACI Transit Routing, Route Peering, and EIGRP Support

Cisco ACI and Cisco AVS

Cisco ACI vpod. One intent: Any workload, Any location, Any cloud. Introduction

Real World ACI Deployment and Migration

Introduction to Cisco Virtual Topology System DP Ayyadevara, Product Manager, Cloud Virtualization Cisco PSOSDN-1050

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer

Integration of Hypervisors & L4-7 Services with ACI

OpenStack Networking Services and Orchestration 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

Practical Applications of Cisco ACI Micro Segmentation

Cisco ACI Terminology ACI Terminology 2

Flexible NFV WAN interconnections with Neutron BGP VPN

OpenStack Network Design using Cisco Solutions Shannon McFarland CCIE #5245 Principal

Fully Scalable Networking with MidoNet

Intuit Application Centric ACI Deployment Case Study

Migration from Classic DC Network to Application Centric Infrastructure

Cisco ACI for Red Hat Virtualization Environments

Data Center and Cloud Automation

Cisco Application Policy Infrastructure Controller Data Center Policy Model

Extreme Networks How to Build Scalable and Resilient Fabric Networks

Session objectives and takeaways

Actual Agility with SDN: Weaving SDN into Data Center Automation May 6, John Burke Principal Research Analyst & CIO

Cisco Virtualized Infrastructure Manager

Layer 4 to Layer 7 Service Insertion, page 1

Transcription:

Building NFV Solutions with OpenStack and Cisco ACI Domenico Dastoli @domdastoli INSBU Technical Marketing Engineer Iftikhar Rathore - INSBU Technical Marketing Engineer

Agenda Brief Introduction to Cisco ACI Introduction and benefits to run OpenStack and ACI Integration. NFV features of ACI Neutron Plugin. High performance HW Load Balancing to OpenStack VNFs through BGP ECMP. Deployment of service chaining using Neutron SFC API.

What is Cisco ACI? 2018 Cisco and/or its affiliates. All rights reserved. 3

Cisco SDN Solution: Nexus 9000 + APIC controller = Cisco ACI

Network Policy across multiple Domains One network policy framework that can be extended across multiple domains: physical servers, multiple VMM and containers Bare Metal 5

OpFlex A flexible, extensible policy protocol OpFlex is an open source extensible policy resolution protocol designed for declarative control of datacenter infrastructure. 1. Abstract policies rather than device-specific configuration 2. Flexible, extensible definition of using XML / JSON 3. Support for any device vswitch, physical switch, network services, servers, etc. Opflex Agent Policies à Who can talk to whom à What about à Topology control à Policy Based Redictrion Opflex Agent Opflex Agent Opflex Agent Opflex Agent Opflex Proxy Opflex Agent Opflex Agent AVE VMware OVS SCVMM

ACI Anywhere - Vision Any Workload, Any Location, Any Cloud ACI Anywhere Remote Pod Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premises Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKACI-3456 7

Why Cisco ACI and OpenStack? 2018 Cisco and/or its affiliates. All rights reserved. 8

OpenStack Challenges Non distributed L3 services No underlay visibility Performance Complexity of troubleshooting

Why Cisco ACI and OpenStack? Distributed, Scalable Virtual Networking Hardware-Accelerated Performance Integrated Overlay and Underlay Operations and Telemetry 4 key advantages to remember

Why Cisco ACI and OpenStack? Distributed, Scalable Virtual Networking Hardware-Accelerated Performance Full Neutron Node datapath replace Fully distributed Layer 2, anycast gateway, DHCP, and metadata Distributed NAT and floating IP address Integrated Overlay and Underlay Operations and Telemetry

Why Cisco ACI and OpenStack? Distributed, Scalable Virtual Networking Hardware-Accelerated Performance Automatic VXLAN tunnels at top of rack (ToR) No wasted CPU cycles for tunneling Optional use of SRIOV and OVS DPDK (VPP support roadmapped) Integrated Overlay and Underlay Operations and Telemetry

Why Cisco ACI and OpenStack? Distributed, Scalable Virtual Networking Hardware-Accelerated Performance Integrated Overlay and Underlay Operations and Telemetry Fully managed underlay network through Cisco APIC Capability to connect physical servers and multiple hypervisors to overlay networks

Why Cisco ACI and OpenStack? Distributed, Scalable Virtual Networking Hardware-Accelerated Performance Integrated Overlay and Underlay Operations and Telemetry Troubleshooting across physical and virtual environments Health scores and capacity planning per tenant network

ACI Neutron Plugin With OpFlex Support Full Policy Based Network Automation Extended to the Hypervisor OpenStack Controller APIC Neutron Plugin OpFlex for OVS Open Source OpFlex agent extends ACI into the host OpFlex Proxy exposes new open API in ACI fabric OpenStack Feature Highlights Fully distributed Neutron network functions, including NAT OpFlex Proxy Integrated, centrally managed overlay and underlay fabric Operational visibility integrating OpenStack, Linux, and APIC Hypervisor OVS OpFlex Agent Choice of virtual network (standard Neutron ML2) or Groupbased Policy driven networking VIM

ACI Neutron Plugin Main Components ML2 Plugin Neutron-server Controller node AIM APIC Driver converts neutron to Cisco ACI Policy Main Components are: AIM ACI ML2 Plugin Opflex Agent Cisco ACI fabric provides line rate distributed routing and switching capabilities / OpFlex Proxy Opflex Proxy Receives Policies from APIC OVS Rules programmed by the OpFlex Agent are used for policy enforcement L2/L3 Ovs rules VLAN or VXLAN Open vswitch Opflex Agent Project 1 Project 2 Project 3 OpFlex Agent Receives Policies from ACI leaf

The AIM Daemon at work: the workflow Application Network Profile 3 C1 EPG EPG WEB C2 APP C3 EPG DB Create Application Policy 5 ACI Fabric 2 Push Policy Automatically Push Network Profiles to APIC and keep it sync AIM Create Network, Subnet, Security Groups, Policy 1 NETWORK ROUTING SECURITY OPEN VIRTUAL SWITCH OPEN VIRTUAL SWITCH OPEN VIRTUAL SWITCH NEUTRON NOVA 4 Web App Web App DB App DB OpenStack Tenant Instantiate VMs HYPERVISOR HYPERVISOR HYPERVISOR 17

OpenStack Neutron to APIC Objects Mapping With the ML2 Standard Neutron model, the following mapping happens. All the operations are done on OpenStack through Horizon, CLI or Heat Neutron Object Project Network Subnet Router Security Group + Rule APIC Object Tenant EPG + BD Subnet Contract ACI Host Protection Profiles

ACI Tenant Creation with ML2 model

NFV Features of ACI Neutron Plugin 2018 Cisco and/or its affiliates. All rights reserved. 20

Challenges of VNFs Configuration of dynamic routing protocol between fabric switch and VNF Support for dynamic VNF deployed in distributed fashion Traffic distribution among VNF Wider ECMP than normally seen with physical appliance Ensure evenly traffic distribution among VNF Optimal performance with VNF VNFs VNFs Rack-1 Rack-2 Protocol peering

How ACI can help solve NFV challenges ACI Plugin Supports Neutron Trunk Ports. Neutron SVI for dynamic BGP peering to VNFs. ACI Plugin Supports Neutron SFC with traffic redirection to VNF. Support for OVS-DPDK and SR-IoV.

Neutron SVI Support 2018 Cisco and/or its affiliates. All rights reserved. 23

What is Neutron SVI feature ACI plugin for OpenStack enables distributed route peering between the switches and OpenStack VNFs: Based on the creation or destruction of VNFs, Neutron SVI feature dynamically and automatically create and destroy SVI on the underlay and enables line rate routing capabilities and up to 64-way ECMP to the VNFs.

ACI with VNFs capabilities Supports up to 6 pairs of switches under same L3out Supports VNFs across distributed sites (MultiPod) Supports automatic BGP peering over fabric for encapsulated control traffic Supports bonding with VPC Support BFD for fast VM failure detection ACI L3out (L2 segment extended via ACI fabric) VNF-1 VNF-2 VNF-3 VNF-4

Distribute traffic evenly to VNFs Each VNF within the cluster receives equal amount of data traffic, regardless where it is attached Each border leaf evenly distribute traffic flows to each VNF instance. Traffic destining to some VNFs will be forwarded via fabric Ingress leaf evenly distribute traffic flows to each border leaf where VNFs are attached.1.2.3.4 VNID1.11.12.13 VNFs 100.1.1.0/24 VNFs Rack-1 Rack-2 Rack-2

Example: Topology EPG-Client Bridge Domain Client 20.0.0.0/24 DGW: 20.0.0.1 L3out-LB L3out SVILB 172.168.0.0/24 BGP ASN 65534 EPG-ServerFarm Bridge Domain ServerFarm 192.168.1.0/24 DGW: 192.168.1.1 Client Client.11.12 VIP: 10.10.10.10/32 server server.101.102

Example: BGP Peering ACI has 2 ECMP for VIP 10.10.10.10. EPG-Client Bridge Domain Client 20.0.0.0/24 DGW: 20.0.0.1 L3out-LB L3out SVILB 172.168.0.0/24 BGP ASN 65534 EPG-ServerFarm Bridge Domain ServerFarm 192.168.1.0/24 DGW: 192.168.1.1 Client Client Both LB1 and LB2 advertise through BGP the VIP to ACI..11.12 VIP: 10.10.10.10/32 server server.101.102

Example: Packet Flow Client1 to LB The packet will be round robin by ACI to one of the available LB. EPG-Client Bridge Domain Client 20.0.0.0/24 DGW: 20.0.0.1 L3out-LB L3out SVILB 172.168.0.0/24 BGP ASN 65534 EPG-ServerFarm Bridge Domain ServerFarm 192.168.1.0/24 DGW: 192.168.1.1 Client Client Source 20.0.0.8 -> Destination 10.10.10.10 Is served by LB1 172.168.0.11.11.12 VIP: 10.10.10.10/32 server server.101.102

Example: Packet Flow Client2 to LB A second client will be served by another LB as ACI will round robin and hash the client s flows. EPG-Client Bridge Domain Client 20.0.0.0/24 DGW: 20.0.0.1 L3out-LB L3out SVILB 172.168.0.0/24 BGP ASN 65534 EPG-ServerFarm Bridge Domain ServerFarm 192.168.1.0/24 DGW: 192.168.1.1 Client Client Source 20.0.0.12 -> Destination 10.10.10.10 Is served by LB1 172.168.0.12.11.12 VIP: 10.10.10.10/32 server server.101.102

Example: Packet Flow LB to serverfarm EPG-Client Bridge Domain Client 20.0.0.0/24 DGW: 20.0.0.1 L3out-LB L3out SVILB 172.168.0.0/24 BGP ASN 65534 EPG-ServerFarm Bridge Domain ServerFarm 192.168.1.0/24 DGW: 192.168.1.1 Client Client.11.12 VIP: 10.10.10.10/32 server server.101.102 Source 10.10.10.101 -> Destination 192.168.1.101 LB will snat and send packet to one server of the farm

Deployment of service chaining using Neutron SFC API 2018 Cisco and/or its affiliates. All rights reserved. 32

What is SFC Neutron Service Function Chaining is the upstream OpenStack API to configure service chaining. Why SFC Makes multinode PBR easier Use upstream Openstack API to deploy Service Graph with Multinode PBR No ACI manual configuration Usage Create Left and Right networks (BD s) Create port-pairs Create port-pair groups Create flow-classifier Create Service Chain Update Service Chain

Neutron SFC API Port chain, or service function path, consists of the following: Port pairs Set of ports that define the sequence of service functions. Flow classifiers that specify the classified traffic flows entering the chain. Port chain update Port pair group update CLI support depends on OpenStack vendor We support API Port Chain Flow Classifier port_pair_groups flow_classifiers Neutron Server Port Chain API Port Chain Database Driver Manager Common Driver API AIM ACI FABRIC/OVS Port Pair Group port_pairs Port Pair ingress/ egress Neutron Port

OpenStack Orchestrates Virtual Networks (via Neutron API) Extended to reference existing L3Outs, configuring SVI & BGP peering on them VNF lifecycle management (via Nova API) Service Function Chaining API Port Pair (ingress and egress interface of a VNF) Port Pair Group (VNF HA cluster) Port Chain (linear chain of VNF clusters) Flow Classifier (forwarding classification) Port Chain Flow Classifier port_pair_groups flow_classifiers Neutron Server Port Chain API Port Chain Database Driver Manager Common Driver API AIM ACI FABRIC/OVS Port Pair Group port_pairs Port Pair ingress/ egress Neutron Port

APIC Mapping of neutron Service Chain PBR Node BD1 (192.168.1.254/24) Svc-BD1 Svc-BD2 BD2 (192.168.2.254/24) (172.16.1.254/24) (172.16.2.254/24) Client external internal EPG Web 192.168.1.1/24 L3.100.100 L3 192.168.2.1/24 Port Pair 1 Port Pair 2 Port Pair 3 Port-pair group 1 Port-pair group 2 Service chain

Deployed Service Graph

Creating Service Chain Create Left and Right Networks (BD) neutron net-create SRC-NET openstack subnet create --ip-version 4 --gateway 1.1.0.1 --network SRC-NET_ID --subnet-range 1.1.0.0/24 -- host-route destination=10.0.0.0/16,gateway=1.1.0.1 '' neutron net-create DST-NET openstack subnet create --ip-version 4 --gateway 2.2.0.1 --network DST-NET_ID --subnet-range 2.2.0.0/24 -- host-route destination=0.0.0.0/0,gateway=2.2.0.1 Create Flow Classifier neutron flow-classifier-create --destination-ip-prefix 0.0.0.0/0 --source-ip-prefix 10.0.1.0/24 --l7-parameters logical_source_network=src-net_id,logical_destination_network=dst-net_id CLASSIFIER1

Creating Service Chain (Cont) Create Src and Dest neutron Ports openstack port create SERVICE1-INGRESS --network SRC-NET_ID --no-security-group --disable-port-security --fixed-ip subnet=src-subnet_id,ip-address=1.1.0.11 openstack port create SERVICE1-EGRESS --network DST-NET_ID --no-security-group --disable-port-security --fixed-ip subnet=dst-subnet_id,ip-address=2.2.0.11 Create Port Pair neutron port-pair-create --ingress SERVICE1-INGRESS-PORT_ID --egress SERVICE1-EGRESS-PORT_ID PORTPAIR1 Create Port Pair Group neutron port-pair-group-create --port-pair PORTPAIR1_ID CLUSTER1 Create Service Chain neutron -port-chain-create --flow-classifier CLASSIFIER1_ID --port-pair-group CLUSER1_ID SERVICE-CHAIN1 Create service VM nova --os-project-name Peets boot --flavor medium --image ServiceImage1 --nic port-id=service1-ingress-port_id --nic port-id=service1-ingress-_port_id SERVICE-VM-1

More bumps on a wire Create more Left and Right Networks (BD) neutron net-create SRC-NET2 openstack subnet create --ip-version 4 --gateway 1.1.0.1 --network SRC-NET2_ID --subnet-range 1.1.0.0/24 - -host-route destination=10.0.0.0/16,gateway=1.1.0.1 '' neutron net-create DST-NET2 openstack subnet create --ip-version 4 --gateway 2.2.0.1 --network DST-NET2_ID --subnet-range 2.2.0.0/24 - -host-route destination=0.0.0.0/0,gateway=2.2.0.1 Create Src and Dest neutron Ports for service 2 openstack port create SERVICE2-INGRESS --network SRC-NET2_ID --no-security-group --disable-port-security --fixed-ip subnet=src-subnet2_id,ip-address=3.3.0.11 openstack port create SERVICE2-EGRESS --network DST-NET2_ID --no-security-group --disable-port-security - -fixed-ip subnet=dst-subnet2_id,ip-address=4.4.0.11

Adding more bumps on a wire Create Port Pair for service 2 neutron port-pair-create --ingress SERVICE2-INGRESS_PORT_ID --egress SERVICE2-EGRESS_PORT_ID PORTPAIR2 Create Port Pair Group for service 2 neutron port-pair-group-create port-pair PORTPAIR1_ID CLUSTER2 Update Service Chain (add new Port Pair Group) neutron port-chain-update SERVICE-CHAIN1_ID --flow-classifier CLASSIFIER1_ID --port-pair-group CLUSTEER1 --port-pair-group CLUSTER2 Create service2 VM nova --os-project-name Peets boot --flavor medium --image ServiceImage1 --nic port-id=service2-ingress- PORT_ID --nic port-id=service2-egress-port_id SERVICE_VM-2

Service chaining - PBR

Service chaining Deployed Service Graph

Application Create full service chain with peering BRAS BRAS NAT Transit SVI VNF VNF Tenant: IT

Sum Up 2018 Cisco and/or its affiliates. All rights reserved. 47

OpenStack and ACI for VNFs Better Together ACI Plugin for OpenStack: Increases Visibility Overlay/Underlay and Simplifies Troubleshooting Enables distribute L3 functions Allows Accelerated VM technologies as DPDK and SR-IoV Automatically LB distributed VNFs through Neutron SVI Allows Neutron Service Function Chaining

Want to know more? https://www.cisco.com/go/aci https://www.cisco.com/c/en/us/support/cloud-systemsmanagement/application-policy-infrastructure-controller-apic/tsd-productssupport-series-home.html#openstack_installation_guides https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1- x/openstack/b_aci_with_openstack_opflex_architectural_overview/b_ac I_with_OpenStack_OpFlex_Architectural_Overview_chapter_010.html https://www.cisco.com/c/dam/en/us/td/docs/website/datacenter/aci/virtuali zation/matrix/virtmatrix.html Facebook: Cisco ACI User Group

Come talk to us! Ifti Rathore Domenico Dastoli Cisco (A5)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback