BROCADE SDN CONTROLLER

OPERATIONS AND SUPPORT

1

© 2015 Brocade Communications Systems, Inc. Company Proprietary Information 1

Legal Disclaimer

• All or some of the products detailed in this presentation may still be under
development and certain specifications, including but not limited to, release dates,
prices, and product features, may change. The products may not function as intended
and a production version of the products may never be released. Even if a production
version is released, it may be materially different from the pre-release version
discussed in this presentation.
• Nothing in this presentation shall be deemed to create a warranty of any kind, either
express or implied, statutory or otherwise, including but not limited to, any implied
warranties of merchantability, fitness for a particular purpose, or non-infringement of
third-party rights with respect to any products and services referenced herein.
• ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX,
MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and
HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks
of Brocade Communications Systems, Inc., in the United States and/or in other
countries. Other brands, products, or service names mentioned may be trademarks
of their respective owners.

© 2015 Brocade Communications Systems, Inc. Company Proprietary Information 2

Module 0: SDN Overview
What is SDN ? What can I do with it ?

© 2015 Brocade Communications Systems, Inc. Company Proprietary Information 3

Where did SDN originate ?

© 2015 Brocade Communications Systems, Inc. Company Proprietary Information 4

A Brief History of Networking
1990s: PCs and Networking: Switches

• Distributed control
• Independent, Control
Switch
Intelligent, Data
Control
Control Forwarding
Switch
and Autonomous Switch
Data
Forwarding
Data
Network Devices Forwarding

Control
Switch
Data
Control
Forwarding
Switch
Data
Forwarding
A Brief History of Networking
2015: PCs, laptops, tablets, phones, cloud, datacenters, virtualization, ...

• Distributed control
• Independent, Control
Switch
Intelligent, Data
Control
Control Forwarding
Switch
and Autonomous Switch
Data
Forwarding
Data
Network Devices Forwarding

Control
Switch
Data
Control
Forwarding
Switch
Data
Forwarding
Why are we still here?
Well it seemed like a good idea at the time...

2/26/2018 7
ForCES
Forwarding and Control Separation

Control Blade Control Blade

CE CE
Circa 2003

IETF standards Switch Fabric Backplane

Separation of
Forwarding and
Control Router Blade
FE
Router Blade
FE
… Router Blade
FE
Planes

2/26/2018 8
Clean Slate Program
Starting Over

Circa 2005: Network-level Control and Management

Objectives System Network-wide Views
Research:
“Clean slate”

Forwarding at edge
Network Element Network Element Network Element

Control at central Forwarding Tables Forwarding Tables

... Forwarding Tables
management system

2/26/2018 9
Ethane
Complete SDN(ish) System

Registration
Circa 2007:
Policies Ethane Controller Network Topology
Research: Clean Slate
implementation
Bindings

Simple forwarding
devices
Network Element Network Element Network Element
Central controller
Flow Tables Flow Tables
… Flow Tables
Forwarding Plane Forwarding Plane Forwarding Plane

2/26/2018 10
OpenFlow Protocol
Evolves from prior work

Openflow evolves from Ethane protocol

Openflow switch implementations: Late 2007

Openflow Proposed: March 2008

First Openflow specification: Dec 2008

2/26/2018 11
Why SDN ?

© 2015 Brocade Communications Systems, Inc. Company Proprietary Information 12

Fundamental Issue
Closed System

App App App App App

App
Operating System
App App

Operating System

Open Environments Closed

2/26/2018 13
Why is this bad?

Stupid static, rigid, and inflexible

networks!

• Restricted opportunities for • Vendor hegemony and lock-in • Result: Static, rigid, and
innovation inflexible networks

2/26/2018 14
Cloud & Mobile Timeline
What was Driving the Networking Market

Facebook Twitter Facebook

AWS Reaches Reaches Reaches
Launches 100M Users 50M Users 1B Users

2006 Aug 26, 2008 Aug 2009 Sept 14, 2012

Jun 29, 2007 2010 July 2012 2013

First iPhone 200M VMware YouTube uploads

Released Smartphones acquires Reach
Sold Nicira for 100 hours/minute
$1.21B
Data Centers
The “straw that broke the camel’s back”

• Massive scale of DCs and cloud threaten to break many network technologies:
− MAC table issues: overflowing
− Spanning tree issues: unused links
− VLAN issues: 4K not enough for multi-tenant clouds
− Inter Data Center Traffic Engineering: how to handle massive traffic loads
MAC Address Table Overflow

• Overflowing MAC table causes device to flood packets onto the network, with
significant performance implications

Switch
MACs
...
...
...
...
...
...

MAC Address Table full, causing incoming packets to fail

their match, resulting in the packet getting flooded to all
ports

2/26/2018 17
Spanning Tree Inefficiency

Spanning Tree issues:

• Inefficiency: wasting bandwidth due to
blocked links Blocked
Switch Switch
• Latency: delays
introduced due to
re-convergence
Blocked
after change Switch
Switch

Blocked
Switch
Forwarding
Switch
Blocked

2/26/2018 18
VLAN Exhaustion

• When VLANs are used up, no more

tenants can be supported in that
802.1Q Tag network domain
TPID: 0x8100
16 bits
CoS
3 bits
VLAN ID
12 bits
• Besides, “who would ever need more
than 4096 VLANs?”

Can’t change the tag itself because hardware has

been built to expect tags like this for the last
decade or more

2/26/2018 19
Optimal Traffic Engineering

Shortest Path

Data Data
Forwarding Forwarding
Traffic
Open SDN Congestion
Controller Path
Congestion

Network visibility and Data

Data Forwarding
traffic data allows
Forwarding
controller to make
optimal path decisions
Data Data
Forwarding Forwarding
Optimal Path

2/26/2018 20
Data Centers

Networking became the Hammer Pants of

data centers
• No Agility: to quickly move networks
from one physical location to another
• No Automation: to useprogrammatic
methods to make changes
• No Virtualization: to instantly create,
destroy, and move network resources
anywhere, anytime in the DC
Pre-SDN attempts to address datacenter needs
Solving Data Center Issues
Management

Different attempts have been made to make datacenter networking more agile and able
to adapt to changes:
• Orchestration solutions
• VM Management Plug-in solutions
• RADIUS solutions
Orchestration Solutions
Vendor X

Vendor Y Network attributes updated by CLI & SNMP

Orchestration

Aggregation Switch
Scripting to automate certain
common tasks
TOR Switch A TOR Switch B

Good for firmware updates

Physical Server A Physical Server B

Hypervisor A Hypervisor B
Not dynamic enough for
datacenter automation needs
VM VM VM VM VM VM
A1 A2 A3 A1 B1 B2

Move VM A1 to Physical Server B

2/26/2018 24
VM Plug-in Solutions
Plug-in
VM Network attributes updated
Management by CLI & SNMP

Aggregation Switch
Linked to server virtualization
platform TOR Switch A TOR Switch B

Responds to adds, moves, changes, Physical Server A Physical Server B

deletes Hypervisor A Hypervisor B

Still must use CLI or SNMP for VM VM VM VM VM VM

network changes A1 A2 A3 A1 B1 B2

Move VM A1 to Physical Server B

2/26/2018 25
RADIUS Solutions
RADIUS
Server
Network attributes updated by RADIUS
Policy

Aggregation Switch

Automatic based on server changes

TOR Switch A TOR Switch B

Dynamic network re-configuration using Physical Server A Physical Server B

RADIUS attributes
Hypervisor A Hypervisor B

Untrusted
VM VM VM VM VM VM
A1 A2 A3 A1 B1 B2

Move VM A1 to Physical Server B

2/26/2018 26
Enough Said…

2/26/2018 27
Solving Data Center Issues
Tunnels

Different attempts have been made to make networking better able to handle
datacenter issues such as MAC address table and VLAN exhaustion using tunnels:
• Virtual Networking solutions using tunnels
• Spanning Tree replacement protocols
Network Virtualization
VXLAN

• MAC-in-IP tunnel • UDP (VXLAN port 8472)

• Unicast between • 224 Virtual Networks
switches

Outer MAC / IP / UDP Header VXLAN Header Outer Payload

Original Packet
Dest Source Source Dest Src UDP Dst UDP VXLAN
UDP

MAC MAC IP IP Port 8472 Net ID Dest Source

Payload
MAC MAC

Source / Dest VXLAN UDP 24-bit

Original Host Dest & Source and
MAC & IP of switch tunnel endpoints Port = 8472 Network Identifier Payload

2/26/2018 29
Network Virtualization
NVGRE

• MAC-in-IP tunnel • GRE (IP Protocol 0x2F)

• Unicast between • 224 Virtual Networks
switches

Outer MAC / IP / UDP Header GRE Header Outer Payload

Original Packet
Dest Source Source Dest Virtual
GRE

MAC MAC IP IP Subnet ID Dest Source

Payload
MAC MAC

Source / Dest 24-bit

Original Host Dest & Source and
MAC & IP of switch tunnel endpoints Network Identifier Payload

2/26/2018 30
Network Virtualization
STT

• MAC-in-IP tunnel • TDP (STT port 7471)

• Unicast between • 64 bits of Context ID
switches

Outer MAC / IP / UDP Header STT Header Outer Payload

Original Packet
Dest Source Source Dest Src TCP Dst TCP Context
TCP

MAC MAC IP IP Port 7471* ID Dest Source

Payload
MAC MAC

Source / Dest STT TDP 64-bit

Original Host Dest & Source and
MAC & IP of switch tunnel endpoints Port = 7471* Context Identifier Payload
*=currently

2/26/2018 31
Network Virtualization
Orchestration Anyone ?

• Multiple tunnels per physical server

• 100,000 physical servers
• Who is going to configure all of those
tunnels ?
Solving Data Center Issues
Protocols

Different attempts have been made to overcome datacenter networking issues,

especially spanning tree, using new protocols
• Trill (MAC-in-MAC)
• Shortest Path Bridging (Q-in-Q, MAC-in-MAC)
Trill

Transparent I hope that we shall one day see

Interconnection of
Lots of Links
• MAC-in-MAC
encapsulation
• IS-IS link-state protocol
for determining best
path
• No spanning tree
A graph more lovely than a tree.
A graph to boost efficiency
While still configuration-free.
A network where RBridges can
Route packets to their target LAN.
The paths they find, to our elation,
Are least cost paths to destination!
With packet hop counts we now see,
The network need not be loop-free!
RBridges work transparently,
Without a common spanning tree.
SPB(V): USING Q-IN-Q

• Inserts another VLAN tag into packet

− Q-in-Q Outer Tag: Metro Tag | PE-VLAN | S-
VID
− Q-in-Q Inner Tag: C-VID PE-VLAN: Provider Edge VLAN
S-VID: Service VLAN ID
C-VID: Customer VLAN ID

MAC MAC Eth

Payload Untagged packet
Src Dst Type

MAC MAC Eth 802.1Q VLAN-tagged packet

802.1Q Tag Payload
Src Dst Type

MAC MAC 802.1Q 802.1Q Eth 802.1ad Q-in-Q packet

Payload
Src Dst Outer Tag Inner Tag Type

2/26/2018 35
SPB(M): USING MAC-IN-MAC

• Inserts a new MAC header at the beginning of the

packet

Eth
SA DA Payload Untagged packet
B-SA: Backbone SA Type
B-DA: Backbone DA
B-VID: Backbone VID 802.1Q VLAN-tagged
I-SID: Service ID SA DA
802.1Q Tag Eth
Payload packet
(VID) Type

802.1Q 802.1Q Eth

B-SA B-DA B-VID I-SID SA DA Payload
(S-VID) (C-VID) Type

2/26/2018 36
Distributed vs. Central

“Why do I want my Ethernet switches to relearn where every VM is located in the data
center every 5 minutes when my orchestration system knows exactly where each VM is
and no VM moves without my orchestration system telling it to move.”
-- Cloud Datacenter Architect
Orchestration
Closed Systems vs Open Systems

• Orchestration inherently involves lots of

scaffolding
• Your infrastructure is the foundation for
that scaffolding
• Do you want to build your data center on
closed infrastructure ?

Infrastructure
SDN Definitions: Will the real SDN please stand up?
SDN Definitions
Depends who you ask...

Neurologist

Sexually
Dimorphic
Nucleus

2/26/2018 40
OpenFlow-based SDN
Separate Control & Forwarding Planes
Moving control functionality to centralized controller

• Remove control software from device

and place in a controller
• Device handles the
forwarding and data plane Controller

functionality Control
• Controller handles
the control plane
functionality Control

Forwarding Device
Open Networking via SDN

• Simplified devices App App App App

• Centralized controller OpenFlow

Controller
• Enforcement implemented
by devices
• Open environment Forwarding

for innovation Forwarding

Forwarding

Forwarding

Forwarding
SDN: The Big Picture

• A network operating
system App App App App App
Application

• A suite of network
Network Operating System
applications Control

• Communication Openflow protocol

between controller
and devices via Forwarding
Forwarding
OpenFlow protocol
Forwarding
Forwarding

Forwarding
Data Plane
Inside Networking Devices Today

• Proprietary, vendor-specific control software in network device

Network Device
SOFTWARE

Services
SNMP

Agent
Web

ACLs
CLI

QoS
Routing
Security

Virus Spanning
CONFIG Snooping Access Control
Throttling Tree
Low-level ASIC interface

ASIC L3 Table L2 Table TCAM

2/26/2018 45
Inside Networking Devices
With OpenFlow

• Move software off the device, up to the controller

Network Device
SOFTWARE

to Controller
Services
SNMP

Agent
Web

ACLs
CLI

QoS
Routing
Security

Virus Spanning
CONFIG Snooping
Openflow Access Control
Throttling Tree
Low-level ASIC interface

ASIC L3 Table L2 Table TCAM

API-based SDN
API-based SDN
Overview User Application

Providing APIs to programmatically

control the behavior of the network API
Application
Device APIs Policy
• Superior to SNMP or CLI
• E.g. onePK, NETCONF, REST
API
Controller APIs
• Open northbound API Controller
Controller
• Proprietary southbound
Policy APIs
API
• Predefined policy-based APIs
• Proprietary southbound Device Control

Note: Not mutually exclusive Forwarding

SDN APIs:
Device-Level
• Ability for applications to be written
to control or modify device App App App App
configuration or packet
forwarding behavior. Proprietary Controller

• Replacement of older protocols

(CLI, SNMP) with newer ones,
e.g. NETCONF, REST, onePK. (*)
Control
• Legacy device support. (*) Control Control
Forwarding
Forwarding
• Centralized Forwarding

control of network. (*)

• Examples: Cisco, Juniper,
Control
Brocade, Arista, Control

Alcatel-Lucent, ... Forwarding Forwarding

(*) In most cases

SDN APIs
Controller-Level
• Ability for applications to be Open but controller-specific
written to interact with controller App App App App
in order to modify or control device
configuration or packet forwarding
behavior. Controller

• Controller API is open to network

applications,
but the API is specific to the controller,
and often to devices as well. Control
Control
Control
Forwarding
• Southbound protocol can be Forwarding Forwarding

open or proprietary.
• Examples: OpenDaylight, Control Control API
OpenContrail, Brocade-ODL, Forwarding Forwarding
SDN APIs
Policy-Level Open but policy-specific
App App App App
• Ability for applications to be
written to interact with policy layer
on Policy
controller, to manage and control Controller
the policy behavior of the network.
• Policy API is open to network
applications,
but the API is specific to the Control
Control
Control

controller’s Forwarding
Forwarding
Forwarding

policy-based functionality.
• Southbound protocol can be
open or proprietary. Control Control
API

• Examples: Cisco APIC-EM, Forwarding Forwarding

APIC-DC.
Overlay-based SDN
Overlays

• Completely virtualized

Overlay Networks
networks
Overlay Network Overlay Network Overlay Network

• Completely independent
of equipment below

Physical Network
Network Device Network Device

Network Device Network Device Network Device

2/26/2018 53
Overlays

• Implemented in
hypervisor

Overlay Networks
Physical Server Physical Server Physical Server

• Doesn’t touch the

physical network Hypervisor Hypervisor Hypervisor

• Still must deal with

physical network issues

Physical Network
Network Device Network Device

Network Device Network Device Network Device

2/26/2018 54
Overlay Tunneling Alternatives

• VXLAN (Cisco), NVGRE (Microsoft), STT (Nicira)

• Use MAC-in-IP tunneling

MAC header IP header UDP* header Payload

Tunnel header MAC header IP header Payload

2/26/2018 55
Overlay Tunneling Operation

• Tunnels exist between ‘tunnel

endpoint devices’ (e.g.
VTEP
vSwitches)
VTEP VTEP
• Encapsulated traffic sent VTEP-
to-VTEP

VTEP VTEP

VTEP

2/26/2018 56
SDN Operation
Anatomy of an SDN Device

Hardware to Controller

• L2 & L3 forwarding tables

• TCAMs for matching fields
other than MAC and IP address Switch

Operation API OpenFlow NETCONF

• Handle matching flows Abstraction Layer

locally FlowTables
Flow Tables
Tables

• Drop or forward non-matching

HW
flows to controller and await
L3 Fwd L2 Fwd TCAM
instructions

2/26/2018 58
Anatomy of a Software SDN Device

• Software Switches to Controller

• Slower – no hardware
acceleration
Switch
• Simpler – no issues
related to HW table sizes API OpenFlow NETCONF

and processing limitations Abstraction Layer

FlowTables
Flow Tables
Tables

SW
Packet Processing

2/26/2018 59
SDN Device: Hybrid Modes
SDN Device “Hybrid” functionality: Multiple
OpenDaylight
meanings Controller

• Switch Mode: Different parts of the switch

do Openflow, other parts
do non-Openflow, designated by port or Hybrid OpenFlow Switch
VLAN

Firrmware
STP OSPF MAC Learning ACLs OpenFlow Agent
• Forwarding Mode: Support for
FORWARD_NORMAL Openflow action, put
packet through normal processing pipeline VLAN L2 L3 ACL OpenFlow Table

• Port Mode: If no matching flow entry exists

in table, default to normal switch/router

Ports
processing

Normal OpenFlow
SDN Controller Overview

Controller Components: Learning

GUI Router Other
Switch
• Northbound API
Controller
− Communication with applications
Northbound
• Southbound API REST API Java API

− Communication with devices Modules

Topo
Device
Flows
• Modules Disco & Topo Mgr Stats

− Functionality and storage Southbound

Openflow NETCONF Other

• Applications
− Advanced functionality
Northbound API

Northbound API Events

• Not available from REST
Application
• Switch & user device events
Methods, functions, API
• Packet events calls
Events

Northbound API Functions Controller

• Add, delete, or modify flows Northbound
• Actions to take in response to API REST API Java API

events received
− Drop, modify, forward packet
− Add, delete, modify flows
SDN Controller Applications

Standard applications Learning

GUI Router Other
Switch
• GUI
• Learning Switch Controller

• Routing Northbound
API REST API Java API

Additional applications
Modules
• Load balancer Device
Topo
Flows
Disco & Topo
• Firewall Mgr Stats

Southbound

Openflow NETCONF Other

2/26/2018 63
SDN Controller Considerations

• No standard
Northbound API
Controller
• Coordination between
applications Northbound
API REST API Java API

• Scalability,
Modules
High-availability, Device
Topo
Flows
Performance Disco & Topo Mgr Stats

Southbound

Openflow NETCONF Other

2/26/2018 64
OpenFlow Protocol
OpenFlow Basics
Flow Entries and Tables
Match Fields Stats Actions

Controller
• Flow Entries
− Match fields: matching incoming packets
− Stats: keeping tally of packet matches
− Actions: what to do if the packet matches

• Flow Tables
− Match: perform associated
Flow Table
action/instruction
Forwarding

− No match: forward to controller

− Actions: Forward, Drop, Normal, Flood, …
OpenFlow Basics
Match Fields

• Match Fields:
Controller - Basic 12-tuple (OpenFlow 1.0)
- MAC src/dst, IP src/dst, VLAN, TCP/UDP
ports, physical switch port...
- Wildcards

Flow Table
TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Forwarding UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/26/2018 67
OpenFlow 1.0
Flow Entries

Packet Packet Flow

Matches Actions Stats

Pkts Pkts Duration Duration

Recv’d Xmit’d (sec.) (nano sec.)

Forward Drop Enqueue* Modify Field* * Optional

ALL CNTRL LOCAL TABLE IN_PORT NORMAL* FLOOD*

TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/26/2018 68
OpenFlow 1.0
Tables

• Prioritized list of Flow Entries

• Evaluated in order, execute first match found
• Each flow has a timeout (‘idle’ and ‘hard’)

Priority Match Fields Actions Stats Timers

Priority Match Fields Actions Stats Timers

Priority Match Fields Actions Stats Timers

...
Priority Match Fields Actions Stats Timers

2/26/2018 69
OpenFlow 1.0
Tables (cont.)

Flow Entries can be installed ‘Proactively’ or ‘Reactively’

− Proactive Flows are set ‘permanently’ or by default, and typically do not age out
− Reactive Flows are set dynamically, set in reaction to device/state changes, and
typically age out after some inactivity
OpenFlow 1.0
Flow Entry Examples

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action

3 * * * * * * * * * * * Output: Port 5

08:2c:67: Output: Port 23

* * 81:3f:06 * * * * * * * * *

10.2.8.0 Output: Port 82

* * * * * * * /24 * * * *

2/26/2018 71
OpenFlow 1.0
Flow Entry Examples

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action

08:2c:67:81:3f: Modify-field:
* 06 * * * * * * * * * * VLAN Id = 22

Modify-field:
* * * * 85 * * * * * * * VLAN Pri = 7

0x0800 0x06 80 Modify-field:

* * * * * * * * * IP ToS = 0x22
(IP) (TCP) (HTTP)

2/26/2018 72
OpenFlow
Ports

• Physical ports
− Correspond to actual ports on the switch Tunnels

• Logical ports
Link
− Higher-level abstractions, e.g. LAGs, Tunnels, … Aggregation

• Reserved ports Switch

− ALL, CONTROLLER, LOCAL, NORMAL, FLOOD, …

Flood
OpenFlow 1.1
Changes from 1.0

Multiple Tables
• Each table can have a different purpose, different match fields
• Metadata passed from table to table to retain context
• Actions added cumulatively to ‘Action Sets’

Tables:
Authentication QoS Rate-Limits

Actions:
Add: Set VLAN-Id Set VLAN-Id Set VLAN-Id
Set VLAN-Pri
Add: Set VLAN-Pri Set ToS
Add: Set ToS
Add: Set Rate

2/26/2018 74
OpenFlow 1.1
Changes from 1.0 (cont.)

Match Fields Stats Actions OpenFlow 1.0

Match Fields Stats Instructions OpenFlow 1.1

Actions  Instructions
• OF 1.0: Each flow entry is associated with zero or more Actions
• OF 1.1: Each flow entry is associated with a set of Instructions:
− Changes packet (Apply- or Clear-Action(s))
− Changes Action Set (Write-Action)
− Changes pipeline processing (Write-Metadata or Goto-Table)
2/26/2018 75
OpenFlow 1.1
Changes from 1.0 (cont.)

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP UDP OF 1.0
sport dport

TCP / TCP /
Ingress Meta MAC MAC Eth VLAN VLAN MPLS IP IP IP IP
Port data Src Dst Type Id Prior
MPLS label
class Src Dst Prot ToS
UDP UDP OF 1.1
sport dport

New Match Fields

• Metadata: For communication passed between tables
• MPLS Label: Matches on outermost MPLS tag
• MPLS Traffic Class: Matches on outermost MPLS tag

2/26/2018 76
OpenFlow 1.1
Changes from 1.0 (cont.)

• Push / Pop VLAN tags (QinQ)

• Push / Pop MPLS tags (MPLS)
• Inserted as the outermost tag
• Tag-stacking encapsulation by ISPs

PE-VLAN: Provider Edge VLAN

MAC MAC Eth S-VID: Service VLAN ID
Src Dst Type
Payload Untagged packet
C-VID: Customer VLAN ID

MAC MAC Eth

802.1Q Tag Payload
Src Dst Type 802.1Q VLAN-tagged packet

MAC MAC 802.1Q 802.1Q Eth 802.1ad Q-in-Q packet

Payload
Src Dst Outer Tag Inner Tag Type

2/26/2018 77
OpenFlow 1.1
Changes from 1.0 (cont.)

Group ID Group Type Stats Action Buckets

Group Tables − Indirect: Execute the one defined bucket

• Flows can point to a Group rather than to in the group
a specific Action − Fast Failover: Execute the first live
• Group Type defines the action to take: bucket
− All: Execute all action buckets, for broadcast
& multicast; packet cloned for each bucket
− Select: Execute one bucket in the group,
based on switch-computed mechanism

2/26/2018 78
OpenFlow 1.2
Changes from 1.1

• Extensibility within the standard

Type Len Value
− Allows adding your own new,
vendor-specific match fields IN Len Value
SA Len Value
− Extensible Matching: TLVs New Way
DA Len Value
− Extensions for Actions: Eth Len Value
re-uses TLV match structure VLAN Len Value

• No backwards compatibility ...

New Len Value

Old Way Ingress MAC MAC Eth VLAN VLAN IP IP IP IP

TCP / TCP /
UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/26/2018 79
OpenFlow 1.2
Changes from 1.1 (cont.)

Adds IPv6 support

− Match on IPv6 source/destination address
− Match on IPv6 type, code, neighbor discovery
− Match on IPv6 flow label

2/26/2018 80
OpenFlow 1.3
Changes from 1.2

PBB - Inserts a new MAC header at the beginning of the packet

B-SA: Backbone SA Eth

SA DA Payload Untagged packet
Type
B-DA: Backbone DA
B-VID: Backbone VID
I-SID: Service ID
SA DA
802.1Q Tag Eth
Payload 802.1Q VLAN-tagged
(VID) Type packet

802.1Q 802.1Q Eth

B-SA B-DA B-VID I-SID SA DA Payload
(S-VID) (C-VID) Type

2/26/2018 81
NETCONF
NETCONF
Comparison to OpenFlow

OpenFlow NETCONF
• Hardware: Program device hardware • Software: Configure device software
• Low-level: Operates at low-level of the • High-level: Operates at high-level of the
network device. network device.
Controller Controller

Device Device

Security Policy ... Etc

Device Software
Openflow Tables

HW HW
2/26/2018 83
NETCONF
Basics

• Configuration: A protocol for configuring network devices.

• Network Management: Intended to be used by network management systems, as a
successor to SNMP.
• Data Types: NETCONF separates
Network Management
data into Configuration (static)
and Operational (dynamic).
• RPCs: Specify APIs that can be Device
called to invoke operations on Security Policy ... Etc
the device.
• Notifications: Specify events to Device Software
be sent under certain conditions.
HW
NETCONF
Compared to SNMP & CLI
CLI SNMP NETCONF
• Unstructured data •Structured data model •Structured data model (YANG)
(SMI)
• Get/Set data •Get/Set config data
•Get/Set data •Get operational data

•Notifications
•SNMP traps
•RPCs

•“Server”
•“Agent”
NETCONF and YANG

YANG:
• Data Definition Language
− YANG is the data definition language used primarily with NETCONF.
• SMI: YANG is to NETCONF as SMI is to SNMP.
• Operations: Configuration and Operational data, RPCs, and Notifications.
• Hierarchical: Tree with branches and leaf nodes (SNMP MIB).
• Node Types:
− Container: Major holder of large amounts of data.
− Leaf-List: Array of like items.
− List: Structure of multiple types of items.
− Leaf: Actual data.
Network Device NETCONF Data

Depends on the device and what it supports, but in general...

Policy:
• Match: Can match packets on ingress for the normal fields such as MAC/IP source and
destination, IP protocol, UDP/TCP port.
• Policy: Can set policy on packet in form of Cos, QoS, VLAN, etc.
Security:
• ACLs: Can set PERMIT or DENY based on match fields listed above, in order to create
firewall-type functionality.
Forwarding:
• Routes: Can set routing behavior including static routes and forwarding to tunnels.
Use Cases
Google WAN
Without OpenFlow

• Automonomous competition for paths

• Only one wins, others retry
• Repeat until everybody has a path

1. Link failure detected, other devices

informed
Data
Forwarding
Data
Forwarding

Data Data Data

Forwarding Forwarding Forwarding

Data Best route

Forwarding
2. Devices autonomously compete for best path, all but
one lose, then repeat
Google WAN
With OpenFlow

• Optimal path computation

• Repeatable path computation Central TE
Traffic
Topo
Controller Policy
2. TE calculates routes and informs
devices 1. Link failure detected, TE informed

Data
Forwarding
Data
Forwarding

Data Data Data

Forwarding Forwarding Forwarding

Data Best route

Forwarding
3. No autonomous trial-and-error by
routers
Routed Networks and SDN

• Labor-intensive CLI or GUI

Topo
• Maintaining consistency
Controller Policy
among routers
Traffic
• Quickly adapting to
changes and/or failures
Data Data
Forwarding Forwarding

Data
Forwarding Data
Forwarding

• Many of the same patterns Data

and issues as the datacenter Forwarding

2/26/2018 91
Carrier Networks and SDN

• Many boundaries requiring encapsulation

• Traffic engineering required: Customers only pay
for what they actually use CE
• Quickly adapting to changes
and/or failures

CE PE PE

• Multiple customers, domains, layers, geographies

• Monetization: Squeezing costs, NFV

2/26/2018 92
Load Balancing and SDN
Load-balancing well-suited for SDN
• Flow-based forwarding decisions
• SDN’s agility and automation Pattern Action
1.1.1.5 1
Challenges for SDN 1.1.1.7 2
Switch
Load Balancer
• Stateful needs 1.1.1.2 3
1.1.1.4 1
• Deep packet inspection needs 1.1.1.9 2
Firewalls and SDN
Firewalls well-suited to SDN
• Block/allow IP addresses
• Block/allow TCP/UDP ports Pattern Action
HTTPS Allow
Challenges for SDN HTTP Allow
Switch
Firewall

• Complex/stateful firewall rules Exchange...

Other Svcs
Allow
Allow
• Deep packet inspection needs * Deny

Switch
Firewall
Campus Environments and SDN
Access control solutions today are expensive, error-prone, complicated, and cumbersome

SDN simplifies the solution

o MAC authentication via Openflow
o Redirection to support BYOD Switch or AP

Challenges for SDN

o Flow table sizes
o Co-existence with 802.1X Guest
Company
laptops
Employee's iPad
Company iPad
SDN Survey
Survey of SDN Activities
SDN NFV
• Open Networking Foundation • Network Functions Virtualization
• Open Source SDN Controllers • Move networking appliance functionality to
• OpenDaylight software

• Cisco (OnePK, XNC, APIC-DC, APIC-EM, Tail-f) OpenStack

• Juniper (Contrail, OpenContrail) • Network is virtual resource
• VMware (Nicira, NSX) • Can use SDN or not
• HP (VAN SDN Controller)
• NEC (Programmable Flow Controller)
• BigSwitch, PLUMgrid, Embrane, Ciena, Vello,
etc.
End of SDN Overview