Automating Access Control Lists with OpenDaylight and OpenVSwitch

Automating Access Control Lists with OpenDaylight and OpenVSwitch

This presentation shows how globo.com solved a problem with TCAM specialized memory limitation on the top of rack switches through a Software Defined Networking approach.

B1412c9ed55333c1df561f64dfad69d3?s=128

Gustavo Pantuza

September 11, 2017
Tweet

Transcript

  1. Automating Access Control Lists with OpenDaylight and OpenVSwitch Gustavo Pantuza,

    Leopoldo Mauricio
  2. Agenda Context Problem Solution

  3. None
  4. Largest media group in Latin America 17 years

  5. None
  6. None
  7. None
  8. None
  9. None
  10. Datacenter 5000 s e r v e r s B

    a n d w i d t h 2.4 Tb/s
  11. Fabric PoDs ToR VMs Containers Bare metal

  12. Cloud

  13. Cloud

  14. Xen Clusters Host Hypervisor OvS VMs

  15. Xen Clusters

  16. Environments Backend - BE Frontend - FE

  17. Datacenter Spine Leaf Core ECMP BGP

  18. Access Control Lists

  19. 50000+ A C L s ACL API

  20. Environment segmentation BE FE BE VRF FE VRF BE FE

    BE VRF FE VRF
  21. TCAM Expensive Upgrade Small

  22. None
  23. No policies on networks

  24. Moving forward SDN

  25. Network API 8000+ Networks 500+ Equipments 6300+ Vlans 1700+ Environments

  26. Xen Clusters Host Hypervisor OvS VMs

  27. Network API

  28. Controller

  29. Virtual switch

  30. None
  31. Network API

  32. { "kind": "backend#acl", "rules": [{ "action": "permit", "description": "Access from

    application A on port 80", "destination": "10.0.42.0/24", "id": "222222", "owner": "user", "protocol": "ip", "source": "10.5.190.0/24" }] }
  33. { ... }

  34. Workers 16 w o r k e r s

  35. SDN control 56 s e r v e r s

    6 c l u s t e r s
  36. Controller requests per second 62.5 r e q s /

    s e c
  37. None
  38. No first packet delay

  39. Network API Resilience

  40. Transparent for users

  41. Integration of all our cloud services Tsuru https://tsuru.io DBaas https://github.com/globocom/database-as-a-service

    NetowrkAPI https://github.com/globocom/GloboNetworkAPI ACL API FSaas DNSaaS
  42. https://opensource.globo.com/

  43. None
  44. None
  45. gustavopantuza@gmail.com leomauricio@gmail.com https://github.com/pantuza Linkedin