OpenFlow: What s it Good for?

Similar documents
Brocade Flow Optimizer

Virtualized Network Services SDN solution for service providers

Virtualized Network Services SDN solution for enterprises

Security Considerations for Cloud Readiness

Secure Extensible Network. Solution and Technology Introduction

Secure Science DMZ using Event-Driven SDN. Technical Solutions Cisco

Network Security Monitoring with Flow Data

BROCADE CLOUD-OPTIMIZED NETWORKING: THE BLUEPRINT FOR THE SOFTWARE-DEFINED NETWORK

Event-Based Software-Defined Networking: Build a Secure Science DMZ

SD-Access Wireless: why would you care?

Cisco Nexus Data Broker

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

Using Event-Driven SDN for Dynamic DDoS Mitigation

Pradeep Kathail Chief Software Architect Network Operating Systems Technology Group, Cisco Systems Inc.

DECODING SOFTWARE DEFINED NETWORKS

Configuring Tap Aggregation and MPLS Stripping

White Paper. OCP Enabled Switching. SDN Solutions Guide

SDN Applications and Use Cases. Copyright 2015 ITRI

Carrier SDN for Multilayer Control

Internet Technology. 15. Things we didn t get to talk about. Paul Krzyzanowski. Rutgers University. Spring Paul Krzyzanowski

Intelligent WAN Multiple VRFs Deployment Guide

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

Software-Defined Networking (SDN) Overview

Security by BGP 101 Building distributed, BGP-based security system

SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018

Network as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.

Software Defined Networking 2015 BROCADE COMMUNICATIONS SYSTEMS, INC.

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

OpenADN: A Case for Open Application Delivery Networking

Cisco Nexus 9200 Switch Datasheet

ENTERPRISE MPLS. Kireeti Kompella

Cisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

Recent Advances in MPLS Traffic Engineering

Cisco Nexus Data Broker for Network Traffic Monitoring and Visibility

Configuring TAP Aggregation and MPLS Stripping

F5 DDoS Hybrid Defender : Setup. Version

Arista 7020R Series: Q&A

SDWAN: Re-architecting WAN with Software Defined Networking

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Virtualizing The Network For Fun and Profit. Building a Next-Generation Network Infrastructure using EVPN/VXLAN

BGP Peering Engineering Automation challenges and enablers Cloud & Virtualization Group

Evolving Enterprise Networks with SPB-M

Flow-based Traffic Visibility

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Trafffic Engineering 2015/16 1

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

MPLS VPN. 5 ian 2010

Enterasys 2B Enterasys Certified Internetworking Engineer(ECIE)

Več kot SDN - SDA arhitektura v uporabniških omrežjih

BW Protection. 2002, Cisco Systems, Inc. All rights reserved.

Intelligent WAN : CVU update

Configuring TAP Aggregation and MPLS Stripping

ProgrammableFlow: OpenFlow Network Fabric

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer

Configuring Policy-Based Routing

Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

Tag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER

Intel Open Network Platform. Recep Ozdag Intel Networking Division May 8, 2013

Introduction to External Connectivity

Cisco Extensible Network Controller

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

SDN AND THE DATAPLANE. CHI-NOG 3 June 14 th, 2014

OPEN CONTRAIL ARCHITECTURE GEORGIA TECH SDN EVENT

Multi Protocol Label Switching (an introduction) Karst Koymans. Thursday, March 12, 2015

Configuring IPv6 First-Hop Security

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Production OpenFlow Switches Now Available -Building CORD Using OpenFlow Switches CORD Build

Network Policy Enforcement

Cloud Networking (VITMMA02) Server Virtualization Data Center Gear

Huawei CloudEngine Series. VXLAN Technology White Paper. Issue 06 Date HUAWEI TECHNOLOGIES CO., LTD.

Intuit Application Centric ACI Deployment Case Study

Simplifying WAN Architecture

NOAA TICAP. Robert Sears NOAA/OCIO/SDD/N-Wave

Network Service Description

Introduction to Segment Routing

Cisco Certified Network Associate ( )

INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2

WCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments

IPv6 in Campus Networks

WAN. Core Routing Module. Data Cente r LAB. Internet. Today: MPLS, OSPF, BGP Future: OSPF, BGP. Today: L2VPN, L3VPN. Future: VXLAN

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

Alcatel-Lucent 4A Alcatel-Lucent Scalable IP Networks. Download Full Version :

Borderless Networks. Tom Schepers, Director Systems Engineering

SDN for Multi-Layer IP & Optical Networks

Ending the Confusion About Software- Defined Networking: A Taxonomy

NETWORK VIRTUALIZATION THE STORY OF SDN/NFV, NUAGE, DATACENTERS, VCPE

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

SD-WAN Deployment Guide (CVD)

Next Generation Hybrid Network Visibility Solution

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

From Zero Touch Provisioning to Secure Business Intent

CCNA Routing and Switching (NI )

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Transcription:

OpenFlow: What s it Good for? Apricot 2016 Pete Moyer pmoyer@brocade.com Principal Solutions Architect

Agenda SDN & OpenFlow Refresher How we got here SDN/OF Deployment Examples Other practical use cases for SDN/OF Conclusion 2

OpenFlow & SDN Refresher

Data center networks are in my way --James Hamilton

Software Defined Networking Evolving Definition A network in which the Control Plane is physically separated from the Data Plane OpenFlow is the enabler SDN =? OpenFlow SDN > OpenFlow Distribute what you must, centralize what you can Traditional Router Control Plane (software) Data Plane (hardware) SDN-OpenFlow Control Plane (software) APIs Controller Router Control Plane (software) Data Plane (hardware) Hybrid 5

OpenFlow Version History OpenFlow v1.0 (12/2009) L2 and L3 (IPv4) matching fields Many actions (including normal) OpenFlow v1.1 (02/2011) MPLS label/exp matching fields Multiple flow tables, Group table Virtual ports OpenFlow v1.2 (12/2011) IPv6 matching fields Multiple controllers, role change OpenFlow v1.3 (4/2012) QOS Metering Capabilities & version negotiation OpenFlow v1.4 (8/2013) Improved capability discovery, extensibility OpenFlow v1.5 (12/2014) TCP Flag matching Egress Tables Improved metering OpenFlow v1.6 (2016?) Tunneling OF v2.0 or NG? (TBD) P4? TTPs http://www.sigcomm.org/sites/default/files/ccr/papers/2014/ July/0000000-0000004.pdf 6

OF/SDN Deployment Examples

Google B4 OF/SDN Network Inter-DC Backbone 5/2013 4/2014 8

Google B4 OF/SDN Network Summarized Benefits Separate control plane from forwarding plane Choose HW based on necessary features Choose SW based on protocol requirements Decouple HW & SW innovation Logically centralize the network control plane Deterministic Efficient Global view Allow automation, flexibility and innovation Achieved ~99% WAN link utilization 9

Internet2 SDN Backbone 7/2012 10

Internet2 Backbone Routers http://routerproxy.grnoc.iu.edu/al2s/ 11

Internet2 OpenFlow flows installed http://routerproxy.grnoc.iu.edu/al2s/ 12

A few more SDN Announcements 3/2014 10/2012 12/2015 13

Other Deployment Examples Where are they? Another POV: the demise of OpenFlow has been greatly exaggerated 14

So what (else) is OpenFlow good for? 15

SDN Use Cases CONTROL AUTOMATION VISIBILITY Volumetric Attack Mitigation Elephant Flow Management Firewall Bypass Policy Based Flow Forwarding Botnet Attack Mitigation SDN Based MPLS Traffic Engineering Bandwidth Scheduler Packet-Optical Integration WAN Network Virtualization Flow Metering SDN Based Wiretap VXLAN Monitoring 16

L2-L4 DDoS Mitigation Example Network Volumetric Attack Mitigation Internet SDN App Open Daylight Incoming Attack Flow Mitigation: Discard Flow BGP Border Router (hybrid) Core Router Core Router 17

Flow Metering & Accounting Improve network utilization and reliability Committed GA Flow in Optimizer May GA Shipping for in 2015 May v1.1 2015 sflow Collector SDN App Analytic Flow Control Flow parameters of interesting traffic OF rule to Rate Limit WAN / Internet OF based Metering Normal L2/ L3 Forwarding Router Campus / DC WAN or DC network

Traditional REN Science-DMZ Campus Firewall is a Performance Bottleneck Traditional Science-DMZ architecture connects science LAN outside FW Creates security exposure? Science DMZ Switch 10G/40G 10G/40G High performance Data Transfer Nodes with high-speed storage WAN Science DMZ Enterprise Border Router/Firewall Switch 100 GbE link 10/40 GbE link https://fasterdata.es.net/science-dmz/ 19

SDN for Policy-Based Firewall Insertion / Bypass Operator driven or sflow threshold driven policy enforcement for large trusted flows Enterprise Datacenter 1 One-armed Firewall Inline Firewall Enterprise Datacenter 2 WAN SDN App Default Traffic Flow Trusted Traffic Flow SDN Controller Internet

Elephant Flow Management Dynamic and Programmatic Action for Efficient Network Target for v1.2 Programmable / Scheduled via Northbound API sflow Collector SDN App App Monitor Flow Policy matched flow parameters, action WAN / Cloud OF Matching Normal Forwarding Re-mark Regular Traffic Critical Campus / DC Router Re-direct Dedicated paths for Elephants

Or keep doing this? ip access-list extended <name> permit ip any host 10.250.64.2 permit ip any host 10.250.120.0 permit ip any host 10.110.65.6 permit ip any host 10.2333.120.4 deny udp any host 10.223.98.8 eq 2152 deny udp any host 10.223.98.5 eq 2152 deny udp any host 10.223.98.3 eq 2152 deny udp any eq 2152 host 10.223.98.8 deny udp any eq 2152 host 10.223.98.5 deny udp any eq 2152 host 10.223.98.3 permit ip any host 10.119.65.7 permit ip any host 10.119.65.11access-list 10 permit any access-list 50 permit 10.100.64.0 0.0.0.255 access-list 165 permit ip host 10.142.64.31 10.196.48.0 0.0.0.255 access-list 165 permit ip 10.62.64.0 0.0.0.255 host 10.79.213.25 access-list 165 permit ip host 10.72.64.2 host 10.79.213.11 ip access-list extended <name> permit vlan 1250 ip any any permit vlan 1251 ip any any route-map <name> permit 50 match ip address 50 set ip next-hop 172.16.10.10 route-map <name> permit 51 match ip address 51 set ip next-hop 172.16.11.11 route-map test permit 101 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1013 set interface null0 route-map <name> permit 102 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1123 set interface null0 22

What about OpenFlow with MPLS? Multiple RSVP-signaled LSPs (Gold, Silver, Bronze, etc) OpenFlow rules for per-application classification (and metering) applied at ingress LER. Redirect action into MPLS LSP LER1 Data Center MPLS WAN SDN App Data Center LER3 Different LSPs for application/traffic prioritization and traffic-engineering Classification at ingress into appropriate TE d LSP (aka: flow-based forwarding) OF granularity for classification May also provide ingress policing/metering (eg. CAC function) 23

But there s more! How do you get packet captures?

Current Network Visibility Mode of Operation Problem 1 Obtaining data plane traffic visibility in production networks is *very* challenging Network probes are commonly deployed; or a dedicated out-of-band visibility network is deployed Both approaches increase CAPEX Both approaches limit the visibility of traffic to specific aggregation points in the network. Either due to where the probes are deployed or where the network is tapped to send flows to the visibility fabric Problem 2 Provisioning and operating a dynamic visibility solution is not efficient, nor in real-time Hampers ability to troubleshoot real-time performance problems 25

Current Network Visibility Mode of Operation Problem 3 Networking devices have many limitations in terms of providing specific data traffic to be monitored Switch/Router SPAN/RSPAN mirrors *all* traffic from one port to another port ACL-based port mirroring can provide traffic granularity; however At the expense of very complex CLI configurations Lacks an efficient & dynamic update capability Has scalability limitations No central repository of these distributed, network wide ACL-based port mirroring configurations 26

Committed for v1.1 SDN-based Inline Packet Capture Example SDN App Flow parameters No network taps or probes Per-flow in-line visibility Surgical mirroring Centralized control No complex router configurations (ACL, PBR, SPAN, etc) Ingress Port Router SDN FlowTap Normal Forwarding Pipeline Analytics Network DC or Campus network Tool(s) No separate Visibility network required 27

Conclusions OF-based SDN is here. Deployed A few examples provided OF-based forwarding of normal traffic; network transport Centralized control plane OF-based SDN can solve many other problems As a tool for programmatic control of policy Centrally managed ACL & PBR replacement OF-based exception handling of interesting traffic; network services Normal traffic forwarded normally Solves various operational use cases 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback