Cloud Networking is not Virtual Networking - London VMUG 20130425

Transcript

1. PacketPushers.net Cloud Networking is NOT Virtual Networking

2. PacketPushers.Net About Me •Host of Packet Pushers Podcast PacketPushers.net •“Cloud

   Plumber” at Canopy Cloud Cloud Network Architect, Office of CTO ( Division of Atos ) •Blog - EtherealMind.com •NetworkComputing.com (http:// networkcomputing.com/blogs/author/Greg-Ferro) 2

3. PacketPushers.Net Agenda •Why your Network Guy Doesn’t Care About You

   •Cloud Networking is not Virtual Networking •Cloud Network Services •Where is SDN ? 3

4. PacketPushers.Net 4 Internet Not where servers are Security Thingies Wotsits

   "THE LAN" Servers Active Directory File SQL Mail Provisioning MAGIC STUFF Friendly)Gnomes Dark Spirits Server Admins See...

5. PacketPushers.Net 5 Network Admins see .... ISP2 ISP1 Firewall Access

   Layer Load Bal WAN B2B A SERVER WAAS /Cache IPS/IDS

6. PacketPushers.Net Networking is in my way •The Network is SINGLE

   SYSTEM •every element is interconnected to another in the LAN or WAN or both •Rebooting a device might/could take down the whole network •If rebooting or reconfiguring a server could cause the entire DC to fail, what would your job look like ? 6

7. PacketPushers.Net Data Centres != Universe • I’d like to remind

   VMware executives that network is bigger than VMware ....... • “vCDNI means that you never have to talk to the network guy ever again” VMworld 2010 (faceless butthead) • “Meanwhile, through all of the advances in server virtualization and cloud computing, networking has remained stuck in the past.” - Hatem Naguib, Vice President, Networking & Security - Mar 13, 2013 • Servers connect to Clients • Network is a platform. • VMware is just one “network app”. • take some time to look down the service chain instead of up your own arse 7

8. PacketPushers.Net Data Centres != Universe 8 Internet Campus LAN Remote

   Access The WAN Wireless Data Centre Firewalls Servers storage DC NETWORK Cabling VMware Network Security IP Voice This is you

9. PacketPushers.Net What a Server Does •Servers are Packet Generators •In

   SDN, Servers are FLOW Generators 9

10. PacketPushers.Net Impact Pyramid 10 Power, Physical Hosts Users Connectivity Applications

    Data Centre Network Servers, Storage, VMware Apps Impact Pyramid • Which failure class causes the greatest impact ? • A user ? • One server ? • A VMware cluster ? • A storage array ? • A Network ? • A Data Centre

11. PacketPushers.Net Networking is in my way •Because networks are good

    enough, the budget gets there last. •Wasted investments like patching, virus scan & updates. Networking doesn't have those problems at the same scale. •Servers were so far behind. •Custom silicon takes 3-5 years from concept to delivery. •Too expensive - 5 years depreciation cycle 11

12. PacketPushers.Net Rant Over Infrastructure As A Team 12

13. PacketPushers.Net Agenda •Why your Network Guy Doesn’t Care About You

    •Cloud Networking IS NOT Virtual Networking •Cloud Network Services •Where is SDN ? 13

14. PacketPushers.Net Virtual Networking is OLD • Virtual LANs in 1996

    • Virtual Routing in 2002/3 (MPLS) • Virtual Network Appliances (firewalls, load balancers) in 2007/8 • “Lets do it again” say bitter, cynical networking voices of experience • Virtual Networking is OLD networking 14

15. PacketPushers.Net 15 Virtual Problems •Four problems of Virtual Networking ‣

    CapEx for all physical appliances ‣ Single points of redundant failure - software in coherent system ‣ No API / poor configurability ‣ Individual autonomous elements ( no vCenter, SCVMM/SCOM equivalent)

16. PacketPushers.Net Virtual Networking 1 - CapEx 16 • Initial Large

    CapEx for Data Centre Network • Sporadic Upgrades (usually in response to problems) Time Capital Expenditure Network Install Port Capacity Network Upgrade Server Upgrades Server Upgrades Server Upgrades CapEx Waste

17. PacketPushers.Net SVR WAN RTR Internet RTR FWL FWL SVR SVR

    SVR SVR SVR SVR Stateful HA Active/Standby WAN Internet LoadBal LoadBal Stateful HA Virtual Networking 2 - Failure Modes •Single points of Complex failure •Why have only one pair of firewalls ‣ routing, cost, power users ‣ Only one or two critical services need HA •HA systems are inherently risky & shared fate systems. ‣ Active/Standby firewall •HA in vertical scale system = $$$$$’s 17

18. PacketPushers.Net Virtual Networking 3 - Configuration • Manual Configuration •

    All devices are configured using “power tools” • Every engineer is a “power user” • Why have an API ? Substandard & lack vendor commitment • Restricts number of devices (requires power users) • A serious networking problem..... 18

19. PacketPushers.Net Virtual Networking 4 - Autonomy •Individual autonomous elements •Central

    control neither desirable or relevant ie vCenter, SCVMM/SCOPs is risky system. •Resilient & Distributed Systems like the Internet work well. •Data Centres are NOT distributed. 19

20. PacketPushers.Net VBLOCK UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx

    B2xx B2xx B2xx B2xx UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx B2xx B2xx B2xx B2xx VNX MDS MDS UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx B2xx B2xx B2xx B2xx Ethernet Core Ethernet Core NX7K Core Context NX7K Core Context LoadBal UCS6200 UCS6200 LoadBal NX7K Aggr Context NX7K Aggr Context ASA Firewall ASA Context ASA Context ASA Firewall ASA Context ASA Context MPLS/WAN Internet VMDC Design Template v2.1 - Cisco CVD NX5K NX5K NX5K NX5K DMZ Svr DMZ Svr DMZ Svr DMZ Svr DMZ Svr Complex, Insecure •Traffic loops to physical devices •Insecure (VLANs, Routing) •Advanced networking skills for dumb results •Chained failure domains 20

21. PacketPushers.Net Many Moving Parts 21 Cisco UCS B-Series Blade/ C-Series

    Rack Server vPC Passthrough Switching (PTS) Operating System - vSphere Ethernet dNIC FEX2100 FEX2100 Ethernet dNIC FC dHBA FC dHBA FI6100 FI 6100 Palo/VIC Software CNA Software pNIC Software pNIC Software pHBA Software pHBA Ethernet dNIC Ethernet dNIC FC dHBA FC dHBA Nexus Switch Nexus Switch Fabric Sync vPC Link Connection Pinning Connection Pinning Connection Pinning Ethernet dNIC FC dHBA more Could be PortChannel •Takes a long time to understand this complexity. •Automation / Software solves the problem

22. PacketPushers.Net 22 Virtual Networking - Strengths •performance, scale •no centralised

    points of control (failure domain) •distributed, self healing, eventual consistency •20 year proven system, widespread knowledge & expertise

23. PacketPushers.Net Define Cloud Networking Cloud Networking is: •Network Devices as

    Software •Don’t buy hardware. Install software. •Deploy many small instances (horizontal) instead of one big one (vertical) 23

24. PacketPushers.Net Cloud Networking • Build Network Services with Applications •

    Instead of a firewall deploy a Web Service. • Instead of A Load balancer install the “Sharepoint Load Balancer”. • One network per service is a huge change in network practice 24

25. PacketPushers.Net Cloud Pro & Con’s • Use 20 small network

    devices than instead of 1 pair of physical devices • Distribute complexity, reduce failure • simpler configuration -> easier operation -> better fault tracing • More complex network design • You MUST deploy / build automation & monitoring to manage many devices. 25

26. PacketPushers.Net SVR MPLS/WAN RTR Internet RTR FWL FWL SVR SVR

    SVR SVR SVR SVR DC Design Today 26

27. PacketPushers.Net MPLS/WAN RTR Internet FWL FWL SVR SVR RTR FWL

    FWL FWL FWL RTR RTR RTR SVR SVR FWL FWL SVR SVR SVR SVR SVR Physical Network Services VMware vCloud Everything a VM Cloud Networking 27

28. PacketPushers.Net Awesome? 28

29. PacketPushers.Net MPLS/WAN RTR Internet FWL FWL SVR SVR RTR FWL

    FWL FWL FWL RTR RTR RTR SVR SVR FWL FWL SVR SVR SVR SVR SVR Physical Network Services Cloud Networking Design Problems •Network Appliances close to server/application •What about routing ? •What about server-to- server communication ? •Better Security. •Business control over applications, developers & business units 29

30. PacketPushers.Net Complexity •Complex Design is a good tradeoff for Better

    DevOps •Complexity can be solved with AUTOMATION 30

31. PacketPushers.Net Cloud Networking looks like...... •VMware vCloud •vApps •vCNS 31

32. PacketPushers.Net Cloud Networking Gotchas • network is subject to hugely

    bursty traffic and loads • No one knows what sort of load / bandwidth / packet per second / concurrent flows the application needs. • Hypervisor VMs are SLOW and LATENT compared to custom silicon • Cascading failure in congestion events 32

33. PacketPushers.Net Gotchas - Hardware Huggers •networking is ‘addicted’ on hardware

    ( network hugging has a practical basis e.g. cabling, WAN, path analysis ) •hardware is needed but software more important. •merchant silicon will change networking, especially in low end, but unlikely to commoditise in same way as servers 33

34. PacketPushers.Net Gotchas - Vendors • vendors commit hundreds of millions

    to design and manufacture of silicon on multi-year cycles • Software undermines existing vendor strategies • Firewalls: Palo Alto PanOS, Cisco ASA , Juniper SRX. Load Balancers: F5 TMOS, Citrix NetScaler. (consider Riverbed Stingray) • Pricing is not aligned to requirement ‣ i.e. software pricing equivalent to hardware price ‣ assumes one for one replacement 34

35. PacketPushers.Net Gotchas - HA •You still need TWO appliances for

    HA ‣ but most applications are not HA •LB’s, Firewalls, Routers are always HA because they are critical ‣ are they critical because one big unit in a single location 35

36. PacketPushers.Net Gotchas - Server Teams • distributed software devices means

    spreading load and configuration. • Also mean more complexity. • You must control “application sprawl” to maintain network integrity in switching & routing • Server / VM teams MUST learn some Cloud Networking / Network teams MUST learn some Cloud Server 36 MPLS/WAN RTR Internet FWL FWL SVR SVR RTR FWL FWL FWL FWL RTR RTR RTR SVR SVR FWL FWL SVR SVR SVR SVR SVR Physical Network Services

37. PacketPushers.Net And so to SDN •Devices like vCNS Shield, Edge

    and App are (relatively) feature simple. •But might be Good Enough™ •If you follow the previous points you will realise that you need much better networking .... 37

38. PacketPushers.Net Agenda •Why your Network Guy Doesn’t Care About You

    •Cloud Networking is not Virtual Networking •Cloud Network Services •Where is SDN ? 38

39. PacketPushers.Net Define SDN •Primary: Software configured networking •Automated deployment •Automated

    change •Let the VM/Server do it’s own networking. 39

40. PacketPushers.Net Any Changes ? •Networking in still Networking •Servers are

    still Servers •SDN moves most networking into the “vSwitch” •The Network Guy will control it •You will need networking skills to SDN 40

41. PacketPushers.Net Pre-Virtual Networking 41 SW SW SW SW SW SW

    SW SW SW SW Sw SW Core Distribution Access

42. Physical Network 42

43. SDN Network 43

44. SDN Network 44 Network Agent vServer vServer vServer vServer vServer

    vServer Network Agent vServer vServer vServer vServer vServer vServer Network Agent vServer vServer vServer vServer vServer vServer Tunnel Fabric Flow Forwarding Ethernet/IP LAN Fabric VXLAN

45. PacketPushers.Net vSwitch SDN (Today) 45 •vSwitch becomes an active network

    “agent” instead of a patch panel •Flows not Packets •Routing and Switching •Load Balancing •Edge Security

46. PacketPushers.Net Controller Networks 46 East West LAN Switches Network SDN

    Controller OpenFlow

47. Controller Networking 47 East West LAN Switches Network SDN Controller

    OpenFlow Quantum/OpenStack Configuration Controller Orchestration Controller Northbound SDN Northbound SDN Southbound SDN North/South LA

48. PacketPushers.Net SDCC 48 • Cannot “software” a physical network but

    you can program a “software” network • Network Agents move complexity to the edge • Ubiquitous Network Services increases the overall network usefulness • Vastly improved security • Options for networking multiple clouds and bare metal servers

49. PacketPushers.Net SDN Vendors •Real Products ‣ BigSwitch Networks ‣ NEC

    ‣ Midokura ‣ VMware/Nicira •“Shipping” ‣ Nuage Networks (Alcatel/Lucent) ‣ Contrail (Juniper) ‣ VMware/Nicira •Still Working on It ‣ Cisco (multi-product, multi-strategy) 49

50. PacketPushers.Net My views on VMware NSX • NSX delivers SDN

    strategy • Works for Enterprise AND Service Providers • NSX is solution for KVM. Hyper-V & bare metal future. • NSX appears “software only” - expect network vendors to offer integrated solutions 50

51. PacketPushers.Net SDN Reality • Unproven. Beta - 2013. Major Release

    2014. • Enterprise will find it hard to value (ITIL / ITSM disconnect) • vSphere vs vCloud = Virtual vs Cloud Networking • Server / Networking duty merge • Rewiring of team & technical disciplines • ITIL & ITSM Change management overhaul 51

52. PacketPushers.Net SDN Closeout •SDN delivers business outcomes •SDN means MORE

    networking not less •Servers <-> Networks will be tightly integrated as a technology and team structure will reflect that - “IaaT” • 52

53. PacketPushers.Net About Me •Host of Packet Pushers Podcast PacketPushers.net •“Cloud

    Plumber” at Canopy Cloud Cloud Network Architect, Office of CTO ( Division of Atos ) •Blog - EtherealMind.com •NetworkComputing.com (http:// networkcomputing.com/blogs/author/Greg-Ferro) 53