Professional Documents
Culture Documents
• All or some of the products detailed in this presentation may still be under
development and certain specifications, including but not limited to, release dates,
prices, and product features, may change. The products may not function as intended
and a production version of the products may never be released. Even if a production
version is released, it may be materially different from the pre-release version
discussed in this presentation.
• Nothing in this presentation shall be deemed to create a warranty of any kind, either
express or implied, statutory or otherwise, including but not limited to, any implied
warranties of merchantability, fitness for a particular purpose, or non-infringement of
third-party rights with respect to any products and services referenced herein.
• ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX,
MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and
HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks
of Brocade Communications Systems, Inc., in the United States and/or in other
countries. Other brands, products, or service names mentioned may be trademarks
of their respective owners.
• Distributed control
• Independent, Control
Switch
Intelligent, Data
Control
Control Forwarding
Switch
and Autonomous Switch
Data
Forwarding
Data
Network Devices Forwarding
Control
Switch
Data
Control
Forwarding
Switch
Data
Forwarding
A Brief History of Networking
2015: PCs, laptops, tablets, phones, cloud, datacenters, virtualization, ...
• Distributed control
• Independent, Control
Switch
Intelligent, Data
Control
Control Forwarding
Switch
and Autonomous Switch
Data
Forwarding
Data
Network Devices Forwarding
Control
Switch
Data
Control
Forwarding
Switch
Data
Forwarding
Why are we still here?
Well it seemed like a good idea at the time...
2/26/2018 7
ForCES
Forwarding and Control Separation
Separation of
Forwarding and
Control Router Blade
FE
Router Blade
FE
… Router Blade
FE
Planes
2/26/2018 8
Clean Slate Program
Starting Over
Forwarding at edge
Network Element Network Element Network Element
2/26/2018 9
Ethane
Complete SDN(ish) System
Registration
Circa 2007:
Policies Ethane Controller Network Topology
Research: Clean Slate
implementation
Bindings
Simple forwarding
devices
Network Element Network Element Network Element
Central controller
Flow Tables Flow Tables
… Flow Tables
Forwarding Plane Forwarding Plane Forwarding Plane
2/26/2018 10
OpenFlow Protocol
Evolves from prior work
2/26/2018 11
Why SDN ?
App
Operating System
App App
Operating System
2/26/2018 13
Why is this bad?
• Restricted opportunities for • Vendor hegemony and lock-in • Result: Static, rigid, and
innovation inflexible networks
2/26/2018 14
Cloud & Mobile Timeline
What was Driving the Networking Market
• Massive scale of DCs and cloud threaten to break many network technologies:
− MAC table issues: overflowing
− Spanning tree issues: unused links
− VLAN issues: 4K not enough for multi-tenant clouds
− Inter Data Center Traffic Engineering: how to handle massive traffic loads
MAC Address Table Overflow
• Overflowing MAC table causes device to flood packets onto the network, with
significant performance implications
Switch
MACs
...
...
...
...
...
...
2/26/2018 17
Spanning Tree Inefficiency
Blocked
Switch
Forwarding
Switch
Blocked
2/26/2018 18
VLAN Exhaustion
2/26/2018 19
Optimal Traffic Engineering
Shortest Path
Data Data
Forwarding Forwarding
Traffic
Open SDN Congestion
Controller Path
Congestion
2/26/2018 20
Data Centers
Different attempts have been made to make datacenter networking more agile and able
to adapt to changes:
• Orchestration solutions
• VM Management Plug-in solutions
• RADIUS solutions
Orchestration Solutions
Vendor X
Orchestration
Aggregation Switch
Scripting to automate certain
common tasks
TOR Switch A TOR Switch B
Hypervisor A Hypervisor B
Not dynamic enough for
datacenter automation needs
VM VM VM VM VM VM
A1 A2 A3 A1 B1 B2
2/26/2018 24
VM Plug-in Solutions
Plug-in
VM Network attributes updated
Management by CLI & SNMP
Aggregation Switch
Linked to server virtualization
platform TOR Switch A TOR Switch B
2/26/2018 25
RADIUS Solutions
RADIUS
Server
Network attributes updated by RADIUS
Policy
Aggregation Switch
Untrusted
VM VM VM VM VM VM
A1 A2 A3 A1 B1 B2
2/26/2018 26
Enough Said…
2/26/2018 27
Solving Data Center Issues
Tunnels
Different attempts have been made to make networking better able to handle
datacenter issues such as MAC address table and VLAN exhaustion using tunnels:
• Virtual Networking solutions using tunnels
• Spanning Tree replacement protocols
Network Virtualization
VXLAN
Original Packet
Dest Source Source Dest Src UDP Dst UDP VXLAN
UDP
2/26/2018 29
Network Virtualization
NVGRE
Original Packet
Dest Source Source Dest Virtual
GRE
2/26/2018 30
Network Virtualization
STT
Original Packet
Dest Source Source Dest Src TCP Dst TCP Context
TCP
2/26/2018 31
Network Virtualization
Orchestration Anyone ?
2/26/2018 35
SPB(M): USING MAC-IN-MAC
Eth
SA DA Payload Untagged packet
B-SA: Backbone SA Type
B-DA: Backbone DA
B-VID: Backbone VID 802.1Q VLAN-tagged
I-SID: Service ID SA DA
802.1Q Tag Eth
Payload packet
(VID) Type
2/26/2018 36
Distributed vs. Central
“Why do I want my Ethernet switches to relearn where every VM is located in the data
center every 5 minutes when my orchestration system knows exactly where each VM is
and no VM moves without my orchestration system telling it to move.”
-- Cloud Datacenter Architect
Orchestration
Closed Systems vs Open Systems
Infrastructure
SDN Definitions: Will the real SDN please stand up?
SDN Definitions
Depends who you ask...
Neurologist
Sexually
Dimorphic
Nucleus
2/26/2018 40
OpenFlow-based SDN
Separate Control & Forwarding Planes
Moving control functionality to centralized controller
functionality Control
• Controller handles
the control plane
functionality Control
Forwarding Device
Open Networking via SDN
Forwarding
Forwarding
SDN: The Big Picture
• A network operating
system App App App App App
Application
• A suite of network
Network Operating System
applications Control
Forwarding
Data Plane
Inside Networking Devices Today
Network Device
SOFTWARE
Services
SNMP
Agent
Web
ACLs
CLI
QoS
Routing
Security
Virus Spanning
CONFIG Snooping Access Control
Throttling Tree
Low-level ASIC interface
2/26/2018 45
Inside Networking Devices
With OpenFlow
Network Device
SOFTWARE
to Controller
Services
SNMP
Agent
Web
ACLs
CLI
QoS
Routing
Security
Virus Spanning
CONFIG Snooping
Openflow Access Control
Throttling Tree
Low-level ASIC interface
open or proprietary.
• Examples: OpenDaylight, Control Control API
OpenContrail, Brocade-ODL, Forwarding Forwarding
SDN APIs
Policy-Level Open but policy-specific
App App App App
• Ability for applications to be
written to interact with policy layer
on Policy
controller, to manage and control Controller
the policy behavior of the network.
• Policy API is open to network
applications,
but the API is specific to the Control
Control
Control
controller’s Forwarding
Forwarding
Forwarding
policy-based functionality.
• Southbound protocol can be
open or proprietary. Control Control
API
APIC-DC.
Overlay-based SDN
Overlays
• Completely virtualized
Overlay Networks
networks
Overlay Network Overlay Network Overlay Network
• Completely independent
of equipment below
Physical Network
Network Device Network Device
2/26/2018 53
Overlays
• Implemented in
hypervisor
Overlay Networks
Physical Server Physical Server Physical Server
Physical Network
Network Device Network Device
2/26/2018 54
Overlay Tunneling Alternatives
2/26/2018 55
Overlay Tunneling Operation
VTEP VTEP
VTEP
2/26/2018 56
SDN Operation
Anatomy of an SDN Device
Hardware to Controller
2/26/2018 58
Anatomy of a Software SDN Device
• Slower – no hardware
acceleration
Switch
• Simpler – no issues
related to HW table sizes API OpenFlow NETCONF
SW
Packet Processing
2/26/2018 59
SDN Device: Hybrid Modes
SDN Device “Hybrid” functionality: Multiple
OpenDaylight
meanings Controller
Firrmware
STP OSPF MAC Learning ACLs OpenFlow Agent
• Forwarding Mode: Support for
FORWARD_NORMAL Openflow action, put
packet through normal processing pipeline VLAN L2 L3 ACL OpenFlow Table
Ports
processing
Normal OpenFlow
SDN Controller Overview
events received
− Drop, modify, forward packet
− Add, delete, modify flows
SDN Controller Applications
• Routing Northbound
API REST API Java API
Additional applications
Modules
• Load balancer Device
Topo
Flows
Disco & Topo
• Firewall Mgr Stats
Southbound
2/26/2018 63
SDN Controller Considerations
• No standard
Northbound API
Controller
• Coordination between
applications Northbound
API REST API Java API
• Scalability,
Modules
High-availability, Device
Topo
Flows
Performance Disco & Topo Mgr Stats
Southbound
2/26/2018 64
OpenFlow Protocol
OpenFlow Basics
Flow Entries and Tables
Match Fields Stats Actions
Controller
• Flow Entries
− Match fields: matching incoming packets
− Stats: keeping tally of packet matches
− Actions: what to do if the packet matches
• Flow Tables
− Match: perform associated
Flow Table
action/instruction
Forwarding
• Match Fields:
Controller - Basic 12-tuple (OpenFlow 1.0)
- MAC src/dst, IP src/dst, VLAN, TCP/UDP
ports, physical switch port...
- Wildcards
Flow Table
TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Forwarding UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport
2/26/2018 67
OpenFlow 1.0
Flow Entries
TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport
2/26/2018 68
OpenFlow 1.0
Tables
2/26/2018 69
OpenFlow 1.0
Tables (cont.)
− Proactive Flows are set ‘permanently’ or by default, and typically do not age out
− Reactive Flows are set dynamically, set in reaction to device/state changes, and
typically age out after some inactivity
OpenFlow 1.0
Flow Entry Examples
TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action
3 * * * * * * * * * * * Output: Port 5
2/26/2018 71
OpenFlow 1.0
Flow Entry Examples
TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action
08:2c:67:81:3f: Modify-field:
* 06 * * * * * * * * * * VLAN Id = 22
Modify-field:
* * * * 85 * * * * * * * VLAN Pri = 7
2/26/2018 72
OpenFlow
Ports
• Physical ports
− Correspond to actual ports on the switch Tunnels
• Logical ports
Link
− Higher-level abstractions, e.g. LAGs, Tunnels, … Aggregation
Flood
OpenFlow 1.1
Changes from 1.0
Multiple Tables
• Each table can have a different purpose, different match fields
• Metadata passed from table to table to retain context
• Actions added cumulatively to ‘Action Sets’
Tables:
Authentication QoS Rate-Limits
Actions:
Add: Set VLAN-Id Set VLAN-Id Set VLAN-Id
Set VLAN-Pri
Add: Set VLAN-Pri Set ToS
Add: Set ToS
Add: Set Rate
2/26/2018 74
OpenFlow 1.1
Changes from 1.0 (cont.)
Actions Instructions
• OF 1.0: Each flow entry is associated with zero or more Actions
• OF 1.1: Each flow entry is associated with a set of Instructions:
− Changes packet (Apply- or Clear-Action(s))
− Changes Action Set (Write-Action)
− Changes pipeline processing (Write-Metadata or Goto-Table)
2/26/2018 75
OpenFlow 1.1
Changes from 1.0 (cont.)
TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP UDP OF 1.0
sport dport
TCP / TCP /
Ingress Meta MAC MAC Eth VLAN VLAN MPLS IP IP IP IP
Port data Src Dst Type Id Prior
MPLS label
class Src Dst Prot ToS
UDP UDP OF 1.1
sport dport
2/26/2018 76
OpenFlow 1.1
Changes from 1.0 (cont.)
2/26/2018 77
OpenFlow 1.1
Changes from 1.0 (cont.)
2/26/2018 78
OpenFlow 1.2
Changes from 1.1
2/26/2018 79
OpenFlow 1.2
Changes from 1.1 (cont.)
2/26/2018 80
OpenFlow 1.3
Changes from 1.2
2/26/2018 81
NETCONF
NETCONF
Comparison to OpenFlow
OpenFlow NETCONF
• Hardware: Program device hardware • Software: Configure device software
• Low-level: Operates at low-level of the • High-level: Operates at high-level of the
network device. network device.
Controller Controller
Device Device
Device Software
Openflow Tables
HW HW
2/26/2018 83
NETCONF
Basics
•Notifications
•SNMP traps
•RPCs
•“Server”
•“Agent”
NETCONF and YANG
YANG:
• Data Definition Language
− YANG is the data definition language used primarily with NETCONF.
• SMI: YANG is to NETCONF as SMI is to SNMP.
• Operations: Configuration and Operational data, RPCs, and Notifications.
• Hierarchical: Tree with branches and leaf nodes (SNMP MIB).
• Node Types:
− Container: Major holder of large amounts of data.
− Leaf-List: Array of like items.
− List: Structure of multiple types of items.
− Leaf: Actual data.
Network Device NETCONF Data
Data
Forwarding
Data
Forwarding
Data
Forwarding Data
Forwarding
2/26/2018 91
Carrier Networks and SDN
CE PE PE
2/26/2018 92
Load Balancing and SDN
Load-balancing well-suited for SDN
• Flow-based forwarding decisions
• SDN’s agility and automation Pattern Action
1.1.1.5 1
Challenges for SDN 1.1.1.7 2
Switch
Load Balancer
• Stateful needs 1.1.1.2 3
1.1.1.4 1
• Deep packet inspection needs 1.1.1.9 2
Firewalls and SDN
Firewalls well-suited to SDN
• Block/allow IP addresses
• Block/allow TCP/UDP ports Pattern Action
HTTPS Allow
Challenges for SDN HTTP Allow
Switch
Firewall
Switch
Firewall
Campus Environments and SDN
Access control solutions today are expensive, error-prone, complicated, and cumbersome