Evolved Service Platform Cisco Strategy for SDN/NFV Patrice Nivaggioli SP Architectures - EMEAR June 2015
Agenda Evolved Service Platform (ESP) Overview Model driven architectures Virtual topologies Use Cases
Cisco ESP Framework Transform Business through Automation, Service Innovation, and Optimization Cisco Services Applications Business Mobility Video Consumer Service Broker Evolved Services Platform Service Profile Orchestration Engine Catalog of Network Functions (Phy, VNFs) Evolved Programmable Network VNFs Compute Storage Network
Cisco ESP Solutions Transform Business through Automation, Service Innovation, and Optimization Cisco Services Applications Business Mobility Video Consumer Evolved Services Platform Service Broker Orchestration Engine Network Services Orchestrator enabled by tail-f Service Profile Meraki ESC-lite Orchestration Engine Open SDN Ctlr. Catalog of Network Functions APIC, VTC ESC, CTCM Evolved Programmable Network VNFs MX60 ISR G2 VNF/UCS(E ) Compute ASR CRS CSR/XRv Storage ACI/Nexus VTF VNFs Network Customer Premise Access / WAN Data Center
Agenda Evolved Service Platform (ESP) Overview Model driven architectures Virtual topologies Use Cases
Virtualized Infrastructur e YANG in the Orchestration domain YANG Service Model Render Orchestrator CE0 CE1 PE0 MPLS Core P1 P2 P0 P3 PE3 CE6 VNF Manager VIM (OpenStack) CE2 PE1 PE2 vswitch SDN CTL CE3 CE4 CE5 Physical Domain Virtualized Domain VNF VNF VNF VNF Service chain
YANG Model Example : L3VPN - topology [yang]pnivaggi $ more l3vpn.yang module l3vpn { namespace "http://com/example/l3vpn"; prefix l3vpn; import ietf-inet-types { prefix inet; import tailf-common { prefix tailf; import tailf-ncs { prefix ncs; container topology { list role { key "role"; tailf:cli-compact-syntax; leaf role { type enumeration { enum ce; enum pe; enum p; leaf-list device { type leafref { path "/ncs:devices/ncs:device/ncs:name"; list connection { key "name"; leaf name { type string; container endpoint-1 { tailf:cli-compact-syntax; uses connection-grouping; container endpoint-2 { tailf:cli-compact-syntax; uses connection-grouping; leaf link-vlan { type uint32;
YANG Model Example : L3VPN - VPN container vpn { list l3vpn { description "Layer3 VPN"; key name; leaf name { tailf:info "Unique service id"; tailf:cli-allow-range; type string; uses ncs:service-data; ncs:servicepoint l3vpn-servicepoint; leaf as-number { description "AS used within all VRF of the VPN"; tailf:info "MPLS VPN AS number."; mandatory true; type uint32; list endpoint { key "id"; leaf id{ tailf:info "Endpoint identifier"; type string; leaf ce-device { mandatory true; type leafref { path "/ncs:devices/ncs:device/ncs:name"; leaf ce-interface { mandatory true; type string; leaf ip-network { // the private IP network mandatory true; type inet:ip-prefix; leaf bandwidth { tailf:info "Bandwidth in bps"; mandatory true; type uint32;
YANG Model configuration examples : L3VPN L3 VPN service configuration admin@ncs% show vpn l3vpn ford as-number 22000; endpoint 10 { ce-device ce0; ce-interface gigabitethernet0/1; ip-network 10.0.1.0/24; bandwidth 1000000; endpoint 20 { ce-device ce1; ce-interface gigabitethernet0/1; ip-network 10.0.2.0/24; bandwidth 1000000; qos { qos-policy BRONZE; L3 VPN topology configuration admin@ncs% show topology role ce { device [ ce0 ce1 ce2 ce3 ce4 ce5 ce6 ce7 ce8 ]; role pe { device [ pe0 pe1 pe2 pe3 ]; role p { device [ p0 p1 p2 p3 ]; connection c0 { endpoint-1 { device ce0; interface GigabitEthernet0/8; ip-address 192.168.1.1/30; endpoint-2 { device pe0; interface GigabitEthernet0/0/0/3; ip-address 192.168.1.2/30; link-vlan 88;
Service Modeling with Cisco NSO Architecture overview OSS/BSS Network Engineer NETCONF REST JSON RPC JAVA CLI Web UI Service and Device Data Auxiliary Service Data Script API Developer API NCS AAA Package Manager Alarm Manager Service Manager Core Engine Notification Receiver Mapping Logic Fast Map Mapping Templates Device Manager Service Models Device Models Topology Models Service Assurance Models Resource Manager Models Network Element Drivers Policy Models (QoS)
Cisco Solution Mapped on ETSI NFV Framework SP s Portal / Prime Service Catalog SP s OSS/BSS or Prime Order Fulfillment NSO (Powered by Tail-f NCS) NSO VNF 1 (Cisco or 3 rd Party) NSO VNF 2 (Cisco or 3 rd Party) NSO VNF 3 (Cisco or 3 rd Party) ESC Service Assurance KVM (or ESXi) Ceph VTF/ACI OpenStack Cisco UCS UCS (iscsi) Cisco Network VTC/APIC Virtual Topology System (VTS) End-to-End Solution from Cisco including NFVI, MANO, Wide array of VNFs and Professional Services 1
ETSI NFV PoC#36 Orchestration of Active Monitoring https://www.youtube.com/watch?v=zftkztcehlq
Service Modeling with Cisco NSO Service Application and Mapping Developer API Mapping Logic Fast Map Mapping Templates VPN Service Model Java Mapping Logic L3 VPN example Physical and NFV resources Auxiliary Data Service Application Simple variable interface PE Feature Template VNFM Feature Template CE Feature Template IOS XR YANG Model IOS YANG Model 3 rd Party YANG Model ESC YANG Model 3 rd Party YANG Model IOS YANG Model 3 rd Party YANG Model
Service Modeling with Cisco NSO Service Application and Fast Map algorithm Developer API Mapping Logic Fast Map Service Application Mapping Templates Service creation Note : Service delete not shown Service change
Service Modeling with Cisco NSO Service Intent, Topology Overlay and Underlay localadmin@cvpn-ncs-svc-01> show configuration virto Transaction Database (CDB) GraphDB NSO seeks for appropriate resources to instantiate the service localadmin@cvpn-ncs-svc-01> show configuration topology
Network Devices Modeling Feature Template How NSO touches ODL Same with OS Neutron IOS YANG Model IOS XR YANG Model ESC YANG Model ODL YANG Model NED NED NED NED CLI NETCONF /YANG NETCONF /YANG RESTFul IOS IOS XR ESC ODL
IETF network and service models Lot of RFCs / drafts on YANG models for network feature or overall service delivery YANG model and Netconf adoption on devices will simplify the 3 rd party device integration i.e. NED simplification Policy abstracts like GBP or SFC have already their YANG model draft-zhang-mpls-lspdb-yang-00 A generic YANG Data Model for Label Switch Path (LSP). draft-ietf-netmod-routing-cfg-19 A YANG Data Model for Routing Management draft-penno-sfc-yang-13 Yang Data Model for Service Function Chaining draft-ietf-isis-yang-isis-cfg-02 YANG Data Model for ISIS protocol draft-asechoud-netmod-diffserv-model-02 YANG Model for Diffserv draft-litkowski-spring-sr-yang-00 YANG Data Model for Segment Routing draft-zhdankin-idr-bgp-cfg-00 Yang Data Model for BGP Protocol draft-ltsd-l3sm-l3vpn-service-model-00 YANG Data Model for L3VPN service delivery https://datatracker.ietf.org/doc/search/?sort=status&rfcs=on&name=yang&activedrafts=on
A typical NFV/SDN network design Orchestrator or VIM SDN controller (GBP, SFC, VTN ) forwarding elements Provides the API to applications to control the network Has a database that stores requested network state Doesn t control the network directly Controls software forwarders that move packets from hardware NICs to VMs Or, controls SR-IOV hardware Controls hardware between the hosts to move packets efficiently, e.g. on-switch VXLAN, DC edge routers May be software or hardware
Introducing Group Based Policy Model Group Policy Target Policy Target Policy Target L2 Policy provide Classifier Classifier L3 Policy Policy Rules Set Policy Rule Policy Rule Action Action consume Group Policy Target Policy Target Policy Target L2 Policy Service Chain Node Node Group: Set of endpoints with the same properties. Often a tier of an application. Policy Rules Set: Set of Classifier / Actions describing how Policy Groups communicate. Policy Classifier: Traffic filter including protocol, port and direction. Policy Action: Behavior to take as a result of a match. Supported actions include allow and redirect. Service Chains: Set of ordered network services between Groups. L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter L3 Policy: An isolated address space containing L2 Policies/Subnets.
Group Based Policy deployment Neutron Driver maps GBP to existing Neutron API and offers compatibility with any existing Neutron Plugin Native Plugins exist for OpenDaylight as well as multiple vendors (Cisco, Nuage Networks, and One Convergence) CLI Horizon Heat Group Based Policy Neutron Driver GBP Native Driver Neutron Any Existing Plugins and ML2 Drivers 3 rd Party Open model that is compatible with ANY physical or virtual networking backends
GBP configuration in Horizon New Policy Tab Policy Authoring Interface
Service Chaining Function Introduction Trend is to separate network functions into individual VMs and link them via a service chain Service chain types Bridged: use separate virtual bridges to enforce a service chain VLANs: stitch VLANs together to guide a flow through the sequence of service functions Routing: manipulate routing tables NSH / Service Function Chaining
Why we must Evolve Service Function Chaining Try rendering a business policy like All traffic between the Internet & Web front end servers apply: De/Encryption with highest throughput / low latency and least $$ cost Copy all mobile only transactions to a Big Data analytics system Perform the copy at most optimal point ($$ cost & least latency impact) Send all traffic through a SLB+WAF & and IDS Additionally, deploy this policy with other caveats like: Service functions are both virtual and physical and vendor neutral Compute & service elasticity; compute mobility Practically impossible today! Mobile Elastic Copy Elastic Analytics Internet Elastic SSL Elastic LB + WAF Elastic IDS Elastic Web FE
Components of an Evolved Service Chaining Architecture Service Classifier (SC) Determines which traffic requires service forms the logical start of a service path IP SC Service Path the actual forwarding path used to realize a service chain the intent ->the actual instantiation of the chain in the network Service Overlay The network overlay created to form the service path Service Network Forwarder (SNF) Tunnels service paths to downstream SFF Service Function Forwarder (SFF) Forwards packets to SF instance Loadbalancing awareness across multiple SF instances IP NSH IP NSH GRE IP NSH SNF SFF IP NSH GRE IP NSH VXLan IP NSH GRE IP NSH SNF SFF IP NSH GRE IP NSH Service Header Shared context, carried in a service header, enables network-service interaction and richer policy creation and enforcement. SF 1 1 SF 2 1 SF 2 SF x y Instance X of Service Function of Type Y 2
Resource Footprint Example: NAT, FW, QoS, IPSec and DPI Services Assume we need to carry 10 Gbps of traffic with IPSec, (QOS + NAT + Firewall) and DPI Assume 1vCPU image on VMWare ESXi, IOS XE 3.14 for IPSec, Qos, NAT and Firewall Assume 4vCPU image for DPI Throughput per VM Multi-Service VM S1: IPSEC (1vCPU) n.a 0.388 Gbps S2: NAT + Firewall + QoS (1vCPU) n.a 0.69 Gbps S3: DPI (4vCPU) n.a. 0.7 Gbps S1+S2+S3: IPSEC + (FW + QoS + NAT) + DPI Number of VMs required for 10 Gbps of forwarding Total: 48 0.21 Gbps n.a. Total Number of vcpus required 48 101 Plus 50% HV traversal tax per VM (e.g. ofr KVM+OVS) 96 202 Total Memory required (GB) 192 224 LB S1+ S2 + S3 Multiple Single-Service VMs S1 LB S2 S3 IPSec: 26, NAT+Firewall+QoS: 15, DPI: 15 Total: 56
SFC YANG Model in Opendaylight Yang Data Model for Service Function Chaining draft-penno-sfc-yang-13
Agenda Evolved Service Platform (ESP) Overview Model driven architectures Virtual topologies Use Cases
Updates on Nexus Portfolio Offerings Extended NX-API Support Across Nexus 2K-9K Application Centric Infrastructure Programmable Fabric Programmable Network DB DB Web Web App Web App NEW! ACI Release for Nexus 9000 (Shipping June 2015 ) Microsoft Azure and System Center Integration Programmability examples: vcenter plugin, ACI toolkit etc. Simplified operations Stretched fabric, multiple destinations from 30KMs to 150KMs Group-based policy on Openstack New ACI ecosystem partners (CliQr) NEW! Virtual Topology System (VTS) for software overlay provisioning and management across for Nexus 2K-9K (2H 2015) Standards-based fabric support on Nexus 5600/7x00 with VXLAN BGP EVPN (shipping with Nexus 9000 today) NEW! Unified Open NX-OS Release for Nexus 3000 and Nexus 9000 (Q3 2015) Enhancements to NX-API object store and model driven Native 3rd party RPM applications integration (tcollector, Nagios, Ganglia, Puppet / Chef etc.) Linux utilities support for seamless tool integration across compute and network SDK for custom application integration NEW! Common NX-API across N2K- N9K (2H 2015)
Cisco ACI integration with Openstack NEUTRON NETWORK APIC Driver (ML2) NEUTRON ROUTER SECURITY GROUP F/W ADC Group Policy Plugin Contract WEB ADC Contract Contract APP DB APIC Driver Neutron Networking OVS Driver APIC Group Driver Group Policy Neutron Networking OVS Driver Web App Web App DB Web Web DB Web App Web App DB Web Web DB HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR
Programmable Fabric NX-API, VXLAN BGP EVPN Fabric, and Virtual Topology System (VTS) VTS NX-API BGP-EVPN VXLAN Fabric Physical Virtual DCI/WAN Operations / Programmability & Automation Bare Metal VM VM OS OS Virtualized Automated DCI / WAN VTS for overlay provisioning and management across Nexus 2000 Nexus 9000 (2H 2015)
VXLAN as Data Center Overlay technology VTE P IP Transport Network VTE P VXLAN VNI VTEP VTEP Local LAN Local LAN Segment Local LAN Local LAN Modes of Operation: Underlay Network: IP routing proven, stable, scalable ECMP utilize all available network paths Overlay Network: Standards-based overlay Layer-2 extensibility and mobility Expanded Layer-2 name space Scalable network domain Multi-Tenancy BGP EVPN (BGP control plane with MP-BGP Extensions) Multicast based flood and learn (No control plane)
VTS Architecture Management & Orchestration Plane 3 rd Party VM Manager Control Plane Cisco NSO VTS GUI REST API OpenStack VCenter Cisco Virtual Topology Forwarder (VTF) Lightweight, multi-tenant software dataplane High performance L2, L3, VXLan packet processing on x86 SW VTEP for VXLAN overlays Hybrid overlays by stitching Hardware and Software VTEPS MP-BGP Virtual Topology System (VTS) MP-BGP RR BGP-EVPN BGP-EVPN RR IP / MPLS WAN DCI ToR RESTCONF/Yang ToR DCI WAN / Internet 3 rd Party Cloud Data Plane VM or VNF OVS VM or VNF VM or VNF VTF VM or VNF VM or VNF VTF VM or VNF VM or VNF dvs VM or VNF VM or VNF VM or VNF VM or VNF VM or VNF Bare Metal Workload Virtualized Workloads with OVS Virtualized Workloads with Feature Rich & High Performance Cisco VTF Solution Virtualized Virtualized Workloads with dvs Workloads with SR-IOV
VTS Overlay Configuration through GUI Create a Tenant Add Network to the Tenant Add Subnet Select the ToR and host facing ports VLAN and VNID is automatically allocated Layer-2 VXLAN segment is configured on the ToR switches
Current VTS Network Models Based on OpenStack Neutron Constructs
Agenda Evolved Service Platform (ESP) Overview Model driven architectures Virtual topologies Use Cases
How it all started.. Cloud Network Services GOAL: Improve Experience for Consumer of Network Services Service immediacy and speed Freedom of choice, service customization Personalized experience, user in charge Consumption based economics Bring your own device, craft your own design
How it all started.. CPE Device CPE Device Orchestration Layer Network Service Lifecycle Mgmt Network Layer Control and Data Planes Service topology Model based Soft-real time Event driven Discovery of devices Network topology Physical devices Virtual devices Advanced Network technologies/features GOAL: Improve Experience for Consumer of Network Services Automated service delivery simplicity and efficiency ( ITless ) Automated service creation, high cadence of new services Self-service creation and reporting Elasticity of network and compute resources Open architecture, extensibility
Customer Experience CPE ships Order Services Orchestration happens! Unbox & Plug-in CPE vcpe vfw Service up and running
CloudVPN Business Services CloudVPN with Internet, FW, RA and Next-Gen-IPS CPE Cloud-Hosted Management Scalable, elastic, on-demand VR vfw vng- IPS SP CLOUD Internet Router Internet Cloud IPVPN with FW and Remote Access to Internet vfw with NAT and Policy vfw with IPSec/SSL Remote Access including Remote End-Host posture verification vng-ips (SourceFire) for advanced threat protection and real-time contextual awareness Overlay Packet Tunnels IPSec tunnels mesh, hub&spoke; CPE CPE
X86 Server CloudVPN Architecture Customer Orders Service Tenant Portal SP s OSS/BSS PnP server NETCONF/YANG NCS REST API NC/YANG, RC/YANG PnP Functionality Zero Touch Provisioning Provide Day 1 Configuration Elastic Services Controller (ESC) Provision CSR1Kv Provision ASAv Provision vwsa OpenStack vswitch ODL VTF Internet Gateway CPE Establish VPN: IPSec tunnel, IP Overlay (L2TP, VXLAN, GRE, LISP) CSR1Kv ASAv vwsa CPE Shipped at Customer Site, connected & Powered ON VNF Service chain
CBCS : Cloud based Consumer Services A Service Enabling Approach Virtual Broadband Network pcpe Access Network vcpe Home network is virtually extended to the vbn platform and moving most L3 features from the home to the SP datacenter Services instantiated on compute module Network Attached Storage Wi-Fi Management Remote Access to Data Multimedia Access Home Automation / IoE Anti-virus / Parental Control 4
Portal Self Onboarding RCS Orchestration Infrastructure and Interfaces Orchestration Resource Manager REST APIs ACS Controller vcpe Containers / Host vswitch Media Server/ Connected Storage RPC APIs SoftGRE, L2TPv3 or VLANs IP or IP/MPLS Transport IP TR69: pcpe forwarding mode and overlay
Thank you