$30 off During Our Annual Pro Sale. View Details »

Automating Access Control Lists with OpenDaylight and OpenVSwitch

Automating Access Control Lists with OpenDaylight and OpenVSwitch

This presentation shows how globo.com solved a problem with TCAM specialized memory limitation on the top of rack switches through a Software Defined Networking approach.

Gustavo Pantuza

September 11, 2017
Tweet

More Decks by Gustavo Pantuza

Other Decks in Programming

Transcript

  1. Automating Access Control Lists
    with OpenDaylight and OpenVSwitch
    Gustavo Pantuza, Leopoldo Mauricio

    View Slide

  2. Agenda
    Context Problem Solution

    View Slide

  3. View Slide

  4. Largest media group in Latin America
    17 years

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. Datacenter
    5000
    s e r v e r s B a n d w i d t h
    2.4
    Tb/s

    View Slide

  11. Fabric PoDs
    ToR
    VMs
    Containers
    Bare metal

    View Slide

  12. Cloud

    View Slide

  13. Cloud

    View Slide

  14. Xen Clusters
    Host
    Hypervisor
    OvS
    VMs

    View Slide

  15. Xen Clusters

    View Slide

  16. Environments
    Backend - BE
    Frontend - FE

    View Slide

  17. Datacenter
    Spine
    Leaf
    Core
    ECMP BGP

    View Slide

  18. Access Control Lists

    View Slide

  19. 50000+
    A C L s
    ACL API

    View Slide

  20. Environment segmentation
    BE FE
    BE VRF FE VRF
    BE FE
    BE VRF FE VRF

    View Slide

  21. TCAM
    Expensive
    Upgrade
    Small

    View Slide

  22. View Slide

  23. No policies on
    networks

    View Slide

  24. Moving forward
    SDN

    View Slide

  25. Network API
    8000+ Networks
    500+ Equipments
    6300+ Vlans
    1700+ Environments

    View Slide

  26. Xen Clusters
    Host
    Hypervisor
    OvS
    VMs

    View Slide

  27. Network API

    View Slide

  28. Controller

    View Slide

  29. Virtual switch

    View Slide

  30. View Slide

  31. Network API

    View Slide

  32. {
    "kind": "backend#acl",
    "rules": [{
    "action": "permit",
    "description": "Access from application A on port 80",
    "destination": "10.0.42.0/24",
    "id": "222222",
    "owner": "user",
    "protocol": "ip",
    "source": "10.5.190.0/24"
    }]
    }

    View Slide

  33. {
    ...
    }

    View Slide

  34. Workers
    16
    w o r k e r s

    View Slide

  35. SDN control
    56
    s e r v e r s
    6
    c l u s t e r s

    View Slide

  36. Controller requests per second
    62.5
    r e q s / s e c

    View Slide

  37. View Slide

  38. No first packet
    delay

    View Slide

  39. Network API
    Resilience

    View Slide

  40. Transparent for
    users

    View Slide

  41. Integration of all our cloud services
    Tsuru https://tsuru.io
    DBaas https://github.com/globocom/database-as-a-service
    NetowrkAPI https://github.com/globocom/GloboNetworkAPI
    ACL API
    FSaas
    DNSaaS

    View Slide

  42. https://opensource.globo.com/

    View Slide

  43. View Slide

  44. View Slide

  45. [email protected] [email protected]
    https://github.com/pantuza Linkedin

    View Slide