UK VMUG - Introduction to Overlay Networking

Transcript

1. PacketPushers.net Introduction to Overlay Networking

2. About Me ‣ Not a vendor ‣ Not an analyst

   ‣ Not working for “big web” ‣ or some other big name corporate ‣ I am independently employed ‣ You can hire me - [email protected]

3. About Me ‣ Host of Packet Pushers Podcast ‣ Freelance

   Network Architect/Engineer ‣ Did I mention you can rent me ? ‣ Blog - EtherealMind.com ‣ NetworkComputing.com
   (http://networkcomputing.com/blogs/author/Greg-Ferro) ‣ Slides: speakerdeck.com/etherealmind

4. Networking is in my way ‣ The Network is SINGLE

   SYSTEM ‣ every element is interconnected to another in the LAN or WAN or both ‣ Rebooting a device might/could take down the whole network ‣ If rebooting or reconfiguring a server could cause the entire DC to fail, what would your job look like ?

5. Impact Pyramid Power, Physical Hosts Users Connectivity Applications Data Centre

   Network Servers, Storage, VMware Apps Impact Pyramid ‣ Which failure class causes the greatest impact ? ‣ A user ? ‣ One server ? ‣ A VMware cluster ? ‣ A storage array ? ‣ A Network ? ‣ A Data Centre

6. Data Centres != Universe ‣ I’d like to remind VMware

   executives that network is bigger than VMware ....... ‣ “vCDNI means that you never have to talk to the network guy ever again” VMworld 2010 (faceless executive butthead) ‣ “Meanwhile, through all of the advances in server virtualization and cloud computing, networking has remained stuck in the past.” - Hatem Naguib, Vice President, Networking & Security - Mar 13, 2013 ‣ Servers connect to Clients ‣ Network is a platform. ‣ VMware is just one “network app”. ‣ take some time to look down the service chain instead of up your own arse

7. Virtual Networking is OLD ‣ Virtual LANs in 1996 ‣

   Virtual Routing in 2002/3 (MPLS) ‣ Virtual Network Appliances (firewalls, load balancers) in 2007/8 ‣ “Lets do it again” say bitter, cynical networking voices of experience ‣ Virtual Networking is OLD networking

8. Virtual Networking 1 - CapEx ‣ Initial Large CapEx for

   Data Centre Network ‣ Sporadic Upgrades (usually in response to problems) Time Capital Expenditure Network Install Port Capacity Network Upgrade Server Upgrades Server Upgrades Server Upgrades CapEx Waste

9. Virtual Networking 2 - Failure Modes ‣ Single points of

   Complex failure ‣ Why have only one pair of firewalls ‣ routing, cost, power users ‣ Only one or two critical services need HA ‣ HA systems are inherently risky & shared fate systems. ‣ Active/Standby firewall ‣ HA in vertical scale system = $$$$ $’s SVR WAN RTR Internet RTR FWL FWL SVR SVR SVR SVR SVR SVR Stateful HA Active/Standby WAN Internet LoadBal LoadBal Stateful HA

10. Virtual Networking 3 - Autonomy ‣ Individual autonomous elements ‣

    Self-configuring and adapting ‣ Central control neither desirable or relevant ie vCenter, SCVMM/SCOPs is risky system. ‣ Resilient & Distributed Systems like the Internet work well. ‣ Data Centres are NOT distributed systems

11. Agenda ‣ Part 1 - What is Overlay Networking ?

    ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Wider Impacts

12. Today ‣ Who controls / manages / owns the Network

    Edge ? vSwitch VM VM VM VM VM NIC SWITCH NIC SWITCH

13. Physical Server Hypervisor vSwitch VM VM OS App vNIC OS

    App vNIC Driver Driver ToR pNIC pNIC ToR

14. Start at the Edge ‣ Virtual Switch = automated patching

    ‣ Server / Network integration is poor ‣ Working without insight SWITCH SWITCH VM VM VM VM VM vSwitch

15. True Networking Network Agent VM VM VM VM VM NIC

    SWITCH NIC SWITCH SWITCH SWITCH VM VM VM VM VM

16. ‣ MAC or IP Scalability ‣ ToR Switches with 8K

    or 16 K TCAMs ‣ 16000 MAC = 16K VMs ‣ 50 VMs per server = 320 servers ‣ Other devices are rounding errors ‣ 4000 VLANs is not enough Scalability Problem

17. Provisioning Problem ‣ Automation VLAN and Port provisioning ‣ STP

    Creation and deletion ‣ IP Subnet Creation and Deletion ‣ Occur 24/7 without change control ‣ STP, IP Routing are slow & risky ‣ even at 250 ms timers with BFD

18. Traffic Loops UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx

    B2xx B2xx B2xx B2xx MDS MDS UCS2100 UCS2100 UCS 5100 B2xx B2xx B2xx B2xx B2xx B2xx B2xx B2xx Ethernet Core Ethernet Core NX7K Core Context NX7K Core Context LoadBal UCS6200 UCS6200 LoadBal NX7K Aggr Context NX7K Aggr Context ASA Firewall ASA Context ASA Context ASA Firewall ASA Context ASA Context MPLS/WAN Internet VMDC Design Template v2.1 - Cisco CVD NX5K NX5K NX5K NX5K DMZ Svr DMZ Svr DMZ Svr DMZ Svr ‣Loop up and down, left and right. ‣MPLS, VRFs ‣No automation ‣Change control ‣COMPLEX

19. Mobility ‣ Application Mobility means Server Mobility today. ‣ orchestration

    and automation ‣ faster

20. Introduction to Overlay Networking

21. None

22. Overlay Networking

23. Overlay Networking

24. Overlay Networking

25. Overlay Networking

26. Overlay Networking

27. Network performance of x86 •Intel confirms 40Gbps forwarding on a

    single CPU core •Expect to see Fulcrum switch silicon on motherboard in 2015 & CPU die by 2017 (maybe)

28. Network Agent as Router •Network agent can •filter at the

    edge, •load balance across available path •policy route (SRC/DST into tunnel interfaces
29. None
30. None
31. None

32. Agenda ‣ Part 1 - What is Overlay Networking ?

    ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Wider Impacts

33. Software Defined Data Centres

34. Today

35. None
36. None
37. None
38. None
39. None
40. None
41. None
42. None
43. None
44. None
45. None
46. None

47. SDDC Features ‣ Use LOTS & LOTS of software appliances

    ‣ Firewalls, routers, IDS, ‣ Instead of one big one, have many smaller ones per service ‣ configure HA on a service by service basis ‣ In a cloud, unused VMs don’t consume CPU/Memory and don’t need to be overspecified

48. SDDC Defined Security ‣ create a segment for each service

    or application in my data centre ‣ radical overhaul in security posture ‣ expect bifurcation from security (love/ hate) ‣ stop using hardware. ‣ Huge operational impact ‣ Massive security improvement

49. Agenda ‣ Part 1 - What is Overlay Networking ?

    ‣ Part 2 - Sample Designs for SDDC ‣ Part 3 - Competitive Space

50. Network Engineering ‣ Connectivity is commodity not a feature ‣

    “Quilted Toilet Paper” ‣ Dumb networking must automate ‣ “don’t send a human to do a robot’s job” ‣ “dumb server-ing” must automate ‣ Data Centre networking now different from “other” networking ‣ Not true before

51. How much 10GbE do you need ‣ Broadcom Trident 2

    has 32 x 40GbE ports ‣ Each port can be 4 x 10GbE with QSFP breakout for 96 x 10GbE in single switch ‣ Blade server with 8 blades uses 2 x 10GbE to each switch ‣ 20 to 1 server compression ‣ 20 VMs x 8 Blades x 48 x (2x10GbE) ‣ = 7680 virtual servers

52. Network Services ‣ dynamic configuration is a service ‣ integration

    with OpenStack or vCloud Director is a valuable feature ‣ firewalls, load balancing, security zoning,

53. VTEP FWL Physical Server pNic pNic VM VM VM VM

    VM VM Core Core Core Core ToR ToR ToR ToR VXLAN, NVGRE, NVO3 or MPLSoGRE FWL RTR RTR Internal VTEP VTEP vSwitch Internet SW SW Direct Hosts Server Server Legacy Hosts "Not to Scale"

54. FWL Physical Server Physical Server Physical Server pNic pNic VM

    VM VM VM VM VM Core Core Core Core ToR ToR pNic pNic VM VM VM VM VM VM ToR ToR pNic pNic VM VM VM VM VM VM VXLAN, NVGRE, NVO3 or MPLSoGRE FWL RTR RTR Internal OVSDB VTEP VTEP vSwitch vSwitch vSwitch Network Controller OVSDB Internet SW SW Direct Hosts Server Server Legacy Hosts

55. Underlay/Overlay Integration ! ‣ Some vendor signalling that Underlay &

    Overlay must be integrated not abstracted ‣ Could be self serving and promote legacy hardware sales ‣ Could be a serous technical reason ‣ But I doubt it, Bandwidth Always Wins

56. Cisco ACI vs VMware NSX VMware NSX Cisco ACI Software

    Hardware
57. None

58. VM Leaf Leaf Leaf Leaf Spine Spine Spine Spine VM

    VM Agent VM VM VM VM VM VM Agent VM VM VM pServer Router Firewall VMware Hyper-V/KVM Physical vCloud Director SCCM NETWORK CONTROLLER Controller Networking of Physical And Cloud •Controller handling physical •Cisco ACI

59. VM Leaf Leaf Leaf Leaf Spine Spine Spine Spine VM

    VM Agent VM VM VM VM VM VM Agent VM VM VM pServer Router Firewall VMware Hyper-V/KVM Physical vCloud Director SCCM NETWORK CONTROLLER Overlay Functional Integration Looks Like What ? Text •Controller handling logical ? •State in the underlay ? •Why would this integration add value ?

60. Cloud Server Cluster OpenStack / VMware vCloud Spine Spine Edge

    Edge Edge Edge Grow Over Time Core Core Dist'n Dist'n Dist'n Dist'n Access Access Access Access Access Access Access Access Server Server Server Server Server 10GbE Interfaces Bare Metal / vCenter / KVM / Other Hand Cranked Server Server Server Server Server Server Server •ECMP Network designs support software overlays just fine •And connect to the conventional network

61. Physical / Overlay Integration Tunnel Fabric - "Overlay Network" Physical

    Server Physical Server Physical Server Core Core Core Core ToR ToR ToR ToR Overlay LAN 2 pNic pNic pNic pNic pNic pNic Agent Agent Agent VM VM Ethernet Fabric - "Underlay Network"

62. JC2- SP1 JC2- SP1 JC2- SP1 JC2- SP1 JC2- SP1

    JC2- SP1 32 x 40G L2 L2 L2 L2 32 x 40G L2 L2 40 x 10 =400 Use 40 port per switch 40 x 10 =400 ports 400*6 =2.400 Tbps L3 ECMP Core 32 x 40 L3 ECMP L2 MLAG L3 Core 12x40 VTEPJC2- LSW1 VM PNIC PNIC vMotion L2 Aggregation L2 Aggregation L2 Aggregation L2 Aggregation L2 Aggregation L2 Aggregation 2 x 40 4 x10 Site Firewall JANET Internet OPN/WAN Site Site 10G JC2- LSW1 10G JC2- LSW1 10G JC2- LSW1 10G JC2- LSW1 10G JC2- LSW1 40G JC2- LSW1 12x40 12x40 12x40 12x40 12x40 VM VM VM Overlay Network Conventional 4 x10 4 x10 RI Firewall

63. Think Like This ‣ No one cares about the network

    ‣ No one cares about the computer ‣ No one cares about the VM ‣ We care about applications

64. Question Time ‣ Host of Packet Pushers Podcast ‣ Freelance

    Network Architect/Engineer ‣ Available for Hire ‣ Blog - EtherealMind.com ‣ NetworkComputing.com
    (http://networkcomputing.com/blogs/author/Greg-Ferro) ‣ Slides: speakerdeck.com/etherealmind