Introduction to Overlay Networking - Interop New York 2013

Transcript

1. PacketPushers.net Introduction to Overlay Networking Wednesday, 2 October 13

2. About Me ‣ Not a vendor ‣ Not an analyst

   ‣ Not working for “big web” ‣ or some other big name corporate Wednesday, 2 October 13

3. About Me ‣ Host of Packet Pushers Podcast ‣ Freelance

   Network Architect/Engineer ‣ Blog - EtherealMind.com ‣ NetworkComputing.com (http://networkcomputing.com/blogs/author/Greg-Ferro) ‣ Slides: speakerdeck.com/etherealmind Wednesday, 2 October 13

4. Agenda ‣ Part 1 - What is Overlay Networking ?

   ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Wider Impacts Wednesday, 2 October 13

5. Household Matters ‣ Phones ‣ Questions ‣ Toilets ‣ Mobiles

   Wednesday, 2 October 13

6. Today ‣ Who controls the Network Edge ? vSwitch VM

   VM VM VM VM NIC SWITCH NIC SWITCH Wednesday, 2 October 13

7. Start at the Edge ‣ Virtual Switch = automated patching

   ‣ Server / Network integration is poor ‣ Working without insight SWITCH SWITCH VM VM VM VM VM vSwitch Wednesday, 2 October 13

8. True Networking Network Agent VM VM VM VM VM NIC

   SWITCH NIC SWITCH SWITCH SWITCH VM VM VM VM VM Wednesday, 2 October 13

9. Physical Server Hypervisor vSwitch VM VM OS App vNIC OS

   App vNIC Driver Driver ToR pNIC pNIC ToR Wednesday, 2 October 13

10. Physical Server Hypervisor vSwitch VM VM OS App vNIC OS

    App vNIC Driver Driver ToR pNIC pNIC ToR Physical Server Hypervisor vSwitch VM VM OS App vNIC OS App vNIC Driver Driver pNIC pNIC Physical Server Hypervisor vSwitch VM VM OS App vNIC OS App vNIC Driver Driver pNIC pNIC Physical Server Hypervisor vSwitch VM VM OS App vNIC OS App vNIC Driver Driver pNIC pNIC Wednesday, 2 October 13

11. 11 Distribution Distribution Distribution Distribution Access Access Access Access Access

    Access Access Access Core Core X X X X X X X X X X X X Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr Svr vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch Physical Network Virtual Network Wednesday, 2 October 13

12. ‣ MAC or IP Scalability ‣ ToR Switches with 8K

    or 16 K TCAMs ‣ 16000 MAC = 16K VMs ‣ 50 VMs per server = 320 servers ‣ Other devices are rounding errors ‣ 4000 VLANs is not enough Scalability Problem Wednesday, 2 October 13

13. Provisioning Problem ‣ Automation VLAN and Port provisioning ‣ STP

    Creation and deletion ‣ IP Subnet Creation and Deletion ‣ Occur 24/7 without change control ‣ STP, IP Routing are slow & risky ‣ even at 250 ms timers with BFD Wednesday, 2 October 13

14. Multitenancy ‣ Security at Cloud/Hosting locations ‣ Zones in an

    Enterprise (more later) Wednesday, 2 October 13

15. Traffic Loops UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx

    B2xx B2xx B2xx B2xx MDS MDS UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx B2xx B2xx B2xx B2xx Ethernet Core Ethernet Core NX7K Core Context NX7K Core Context LoadBal UCS6200 UCS6200 LoadBal NX7K Aggr Context NX7K Aggr Context ASA Firewall ASA Context ASA Context ASA Firewall ASA Context ASA Context MPLS/WAN Internet VMDC Design Template v2.1 - Cisco CVD NX5K NX5K NX5K NX5K DMZ Svr DMZ Svr DMZ Svr DMZ Svr •Loop up and down, left and right. •MPLS, VRFs •No automation •Change control Wednesday, 2 October 13

16. Mobility ‣ Application Mobility means Server Mobility today. ‣ orchestration

    and automation ‣ faster Wednesday, 2 October 13

17. Introduction to Overlay Networking Wednesday, 2 October 13

18. Overlay Networking 18 Wednesday, 2 October 13

19. Overlay Networking 19 Wednesday, 2 October 13

20. Overlay Networking 20 •Full Mesh of Tunnels •Using existing assets

    •No impact to physical network - NO CHANGE CONTROL Wednesday, 2 October 13

21. Overlay Networking 21 •Separate overlay network per customer •Single point

    of control in the “vSwitch” •Lower security obligation on physical network simplifies operation Wednesday, 2 October 13

22. Overlay Networking 22 •Today, vSwitch is a “robot patch panel”

    •Tomorrow, a network device performing routing, load balancing, filtering/firewall at network edge Wednesday, 2 October 13

23. Network performance of x86 •Intel confirms 40Gbps forwarding on a

    single CPU core •Expect to see Fulcrum switch silicon on motherboard in 2015 & CPU die by 2017 (maybe) 23 Wednesday, 2 October 13

24. Network Agent as Router •Network agent can •filter at the

    edge, •load balance across available path •policy route (SRC/DST into tunnel interfaces 24 Wednesday, 2 October 13

25. 25 Physical Server Physical Server Physical Server pNic pNic VM

    Core Core Core Core Agent ToR ToR pNic pNic VM Agent ToR ToR pNic pNic Agent Data Centre Logical Overlay Network TUNNEL SWITCHING Wednesday, 2 October 13

26. 26 Physical Server Physical Server Physical Server pNic pNic VM

    Core Core Core Core Agent ToR ToR pNic pNic Agent ToR ToR pNic pNic VM Agent TUNNEL ROUTING Wednesday, 2 October 13

27. 27 Physical Server Physical Server Physical Server VM VM VM

    VM VM VM Core Core Core Core vSwitch ToR ToR VM VM VM VM VM VM vSwitch ToR ToR VM VM VM VM VM VM vSwitch Hypervisor Manager Network Controller API Enabled Network Devices API Enabled Software Network Agents Wednesday, 2 October 13

28. 28 Data Centre Physical Network Physical Server Physical Server Physical

    Server pNic pNic VM VM VM VM VM VM Core Core Core Core vSwitch ToR ToR pNic pNic VM VM VM VM VM VM vSwitch ToR ToR pNic pNic VM VM VM VM VM VM vSwitch L2 with TRILL / MLAG L3 with ECMP Wednesday, 2 October 13

29. Agenda ‣ Part 1 - What is Overlay Networking ?

    ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Wider Impacts Wednesday, 2 October 13

30. Software Defined Data Centres 30 ‣ Overlay Networking means that

    the network has a new range of services ‣ Full service separation for security and multi-tenancy applications Wednesday, 2 October 13

31. Today 31 UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx

    B2xx B2xx B2xx B2xx UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx B2xx B2xx B2xx B2xx Ethernet Core Ethernet Core NX7K Core Context NX7K Core Context LoadBal UCS6200 UCS6200 LoadBal NX7K Aggr Context NX7K Aggr Context ASA Firewall ASA Context ASA Context ASA Firewall ASA Context ASA Context MPLS/WAN Internet VMDC Design Template v2.1 - Cisco CVD NX5K NX5K NX5K NX5K DMZ Svr DMZ Svr DMZ Svr DMZ Svr DMZ Svr Wednesday, 2 October 13

32. 32 Physical Server Physical Server Physical Server Core Core Core

    Core ToR ToR ToR ToR Ethernet Fabric - "Underlay" Overlay LAN 1 Overlay LAN 2 pNic pNic pNic pNic pNic pNic Agent Agent VM Agent VM VM VM Wednesday, 2 October 13

33. 33 Physical Server Physical Server Physical Server Virtual Data Center

    1 Virtual Data Center 2 Agent Agent VM Agent VM VM Network Controller VM VM VM VM Wednesday, 2 October 13

34. 34 Software Networking ‣ Virtual Machine as Part of the

    Network ‣ Firewalls, Load Balancers, IDS/IPS ‣ Logging Servers ‣ Overturns How Network Architecture Supports Applications Wednesday, 2 October 13

35. 35 RTR RTR FWL FWL Core Core Access Access SV

    R SV R SV R SV R SV R SV R Access Access SV R SV R SV R SV R SV R SV R Access SV R SV R SV R Application Shared Resources Internal Service Application RTR RTR FWL FWL Core Core SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR DMZ SVR SVR SVR Wednesday, 2 October 13

36. 36 Application Shared Resources Internal Service Application SVR SVR SVR

    SVR SVR SVR SVR SVR SVR SVR SVR SVR DMZ SVR SVR SVR RTR RTR FWL FWL RTR FWL RTR FWL FWL FWL Wednesday, 2 October 13

37. 36 Application Shared Resources Internal Service Application SVR SVR SVR

    SVR SVR SVR SVR SVR SVR SVR SVR SVR DMZ SVR SVR SVR RTR RTR FWL FWL RTR FWL RTR FWL FWL FWL Application Shared Resources Internal Service Application SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR SVR DMZ SVR SVR SVR RTR RTR FWL FWL RTR FWL RTR FWL FWL FWL Wednesday, 2 October 13

38. 37 Virtual Data Centers ‣ Network separation by overlay and

    controller ‣ Server <-> Network integration at controller Wednesday, 2 October 13

39. 38 Internet Customer vDC VM Internet FW Customer vDC VM

    Internet FW Customer vDC LB VDI IDS AD LOG VDI VDI VM VM VM VM VM Wednesday, 2 October 13

40. 39 Internet Customer vDC vApp Template FW SVR VDI VDI

    SVR App Catalog vApp Template FW SVR VDI VDI SVR Wednesday, 2 October 13

41. 40 Internet Customer vDC vApp Template FW SVR VDI VDI

    SVR App Catalog vApp Template FW SVR VDI VDI SVR RTR SVR Zone 3 vDC SVR SVR SVR Wednesday, 2 October 13

42. 41 SVR SVR SVR SVR SVR SVR SVR Multiple Service

    Line Model RTR RTR FW FW FW FW LB SVR RTR FW LB SVR SVR FW FW SVR SVR SVR VPN Internet Wednesday, 2 October 13

43. 42 SVR SVR SVR Resources Services vDC SVR SVR RTR

    Active Directory Patching SVR AntiVirus vCNS SVR vCNS SVR SVR SVR Service Lines with Shared Resources RTR RTR FW FW FW FW LB SVR RTR FW LB SVR SVR FW FW SVR SVR SVR VPN Internet Wednesday, 2 October 13

44. 43 RTR VPN IAM NAC Juniper MAG ? RSA IAM

    Juniper SA Security vDC RTR SVR Zone 1 vDC vCNS RTR DLP FW PXY SAML Internet SVR SVR Resources Services vDC SVR SVR SVR RTR Active Directory Patching SVR AntiVirus PXY Remote Access/BYOD Outbound Web Services LOG LOG RTR FW Inbound Web Services IDS IDS RTR SVR Zone 2 vDC vCNS SVR SVR SVR RTR SVR Zone 3 vDC vCNS SVR SVR SVR . . . . . . . Templates Virtual Data Centre Inter-Org Links LOG Wednesday, 2 October 13

45. SDDC Features ‣ Use LOTS & LOTS of software appliances

    ‣ Firewalls, routers, IDS, ‣ Instead of one big one, have many smaller ones per service ‣ configure HA on a service by service basis ‣ In a cloud, unused VMs don’t consume CPU/Memory and don’t need to be overspecified Wednesday, 2 October 13

46. SDDC Defined Security ‣ create a segment for each service

    or application in my data centre ‣ radical overhaul in security posture ‣ expect bifurcation from security (love/ hate) ‣ stop using hardware. ‣ Huge operational impact ‣ Massive security improvement Wednesday, 2 October 13

47. Agenda ‣ Part 1 - What is Overlay Networking ?

    ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Wider Impacts Wednesday, 2 October 13

48. VTEP FWL Physical Server pNic pNic VM VM VM VM

    VM VM Core Core Core Core ToR ToR ToR ToR VXLAN, NVGRE, NVO3 or MPLSoGRE FWL RTR RTR Internal VTEP VTEP vSwitch Internet SW SW Direct Hosts Server Server Legacy Hosts "Not to Scale" Wednesday, 2 October 13

49. FWL Physical Server Physical Server Physical Server pNic pNic VM

    VM VM VM VM VM Core Core Core Core ToR ToR pNic pNic VM VM VM VM VM VM ToR ToR pNic pNic VM VM VM VM VM VM VXLAN, NVGRE, NVO3 or MPLSoGRE FWL RTR RTR Internal OVSDB VTEP VTEP vSwitch vSwitch vSwitch Network Controller OVSDB Internet SW SW Direct Hosts Server Server Legacy Hosts Wednesday, 2 October 13

50. FWL Physical Server Physical Server Physical Server pNic pNic VM

    VM VM VM VM VM pNic pNic VM VM VM VM VM VM pNic pNic VM VM VM VM VM VM FWL RTR RTR Internal OVSDB vSwitch vSwitch vSwitch Network Controller OVSDB Internet SW SW Direct Hosts VTEP VTEP Wednesday, 2 October 13

51. Underlay/Overlay Integration ‣ Some vendor signalling that Underlay & Overlay

    must be integrated not abstracted ‣ Could be self serving and promote legacy hardware sales ‣ Could be a serous technical reason ‣ But I doubt it, Bandwidth Always Wins Wednesday, 2 October 13

52. VM Leaf Leaf Leaf Leaf Spine Spine Spine Spine VM

    VM Agent VM VM VM VM VM VM Agent VM VM VM pServer Router Firewall VMware Hyper-V/KVM Physical vCloud Director SCCM NETWORK CONTROLLER Controller Networking of Physical And Cloud •Controller handling physical ? Wednesday, 2 October 13

53. VM Leaf Leaf Leaf Leaf Spine Spine Spine Spine VM

    VM Agent VM VM VM VM VM VM Agent VM VM VM pServer Router Firewall VMware Hyper-V/KVM Physical vCloud Director SCCM NETWORK CONTROLLER Overlay Functional Integration Looks Like What ? Text •Controller handling logical ? •State in the underlay ? •Why would this integration add value ? 52 Wednesday, 2 October 13

54. Cloud Server Cluster OpenStack / VMware vCloud Spine Spine Edge

    Edge Edge Edge Grow Over Time Core Core Dist'n Dist'n Dist'n Dist'n Access Access Access Access Access Access Access Access Server Server Server Server Server 10GbE Interfaces Bare Metal / vCenter / KVM / Other Hand Cranked Server Server Server Server Server Server Server Wednesday, 2 October 13

55. vServer Leaf Leaf Leaf Leaf Spine Spine Spine Spine vServer

    vServer NX1000V vServer vServer vServer vServer vServer vServer NX1000V vServer vServer vServer pServer Router Firewall VMware Hyper-V/KVM Physical DCNM/ DFA DFA Overlay Cisco DFA - Hardware Solution Wednesday, 2 October 13

56. Network Engineering ‣ Connectivity is now commodity not a service

    ‣ “Quilted Toilet Paper” ‣ Dumb networking must automate ‣ “don’t send a human to do a robot’s job” ‣ Data Centre networking now different from “other” networking ‣ Needs new solutions Wednesday, 2 October 13

57. How much 10GbE do you need ‣ Broadcom Trident 2

    has 32 x 40GbE ports ‣ Each port can be 4 x 10GbE with QSFP breakout for 96 x 10GbE in single switch ‣ Blade server with 8 blades uses 2 x 10GbE to each switch ‣ 20 to 1 server compression ‣ 20 VMs x 8 Blades x 48 x (2x10GbE) ‣ = 7680 virtual servers Wednesday, 2 October 13

58. How much 10GbE do you need ‣ 2 switches supports

    a lot of servers ‣ connectivity is not a feature ‣ Quilted Toilet Paper Wednesday, 2 October 13

59. Network Services ‣ dynamic configuration is a service ‣ integration

    with OpenStack or vCloud Director is a valuable feature ‣ firewalls, load balancing, security zoning, Wednesday, 2 October 13

60. Network Agents Wednesday, 2 October 13

61. Question Time Wednesday, 2 October 13

62. Question Time ‣ Host of Packet Pushers Podcast ‣ Freelance

    Network Architect/Engineer ‣ Blog - EtherealMind.com ‣ NetworkComputing.com (http://networkcomputing.com/blogs/author/Greg-Ferro) ‣ Slides: speakerdeck.com/etherealmind Wednesday, 2 October 13