White Paper Intel® Open Network Platform Software Defined Networking Division

Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

As software-defined networking (SDN) and network function virtualization (NFV) have gained traction in the marketplace, many organizations—from enterprise IT to cloud and telecommunications service providers—have discovered the benefits of virtualizing compute and networking components. Enterprises and service providers face intense pressure to support the rapid deployment of new services, and this is one of the key factors driving the industry shift to SDN and NFV solutions. Service chaining adds another dimension to virtualization possibilities: added flexibility in integrating virtual appliances into the mix to handle routing, switching, and other functions as part of the service chain. Service chaining provides a flexible means of managing network traffic more intelligently—with greater agility—when moving from physical networking machines, such as routers and switches, to virtual network appliances that implement multiple virtual machines on each standard high-volume server (SHVS). To advance this technology further, the Intel® Open Network Platform (Intel® ONP) reference architecture and Red Hat’s Enterprise Linux* OpenStack* platform, combined with open-source components and virtual appliances from Intel® Network Builders partners, form the basis of a powerful demonstration that shows the practical capabilities of service chaining in action. This paper explains the concepts that characterize service chaining and discusses the multi-vendor demo that illustrates the benefits of this technology to enterprises, cloud, and telecommunications companies. Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

Table of Contents What is the Intel ONP Dynamic service chaining offers a Reference Architecture? means to improve efficiency and What is the Intel ONP systematically direct packets, flows, Developed to streamline the design, Reference Architecture? ...... 2 or messages across the network. deployment, and manageability of Intelligent network orchestration is Technology Challenge: open solutions within SDN and NFV Realizing the Promise of environments, the Intel ONP reference at the heart of this technology. With Dynamic Service Chaining. . . . . 2 architecture provides a blueprint for NFV, a centralized master with visibility enabling commercial adoption of into all available networking devices Supporting Reference Architecture validated hardware and software in manages and provisions network Used for the Demonstration . . . . 3 key industry sectors. Telecom carrier functions, simplifying the combining A Deeper Look at networks, enterprise environments, and coordination of services. Service Chaining ...... 3 and cloud data centers can more easily To accomplish SDN/NFV service build solutions using an open-source Intel® Open Network Platform software stack running on standard chaining requires overcoming these Reference Architecture...... 3 high-volume servers, as delineated challenges: Broad SDN/NFV Ecosystem by the reference architecture. An • Packet flow issues. Determining a on Intel Architecture...... 4 ecosystem has been built around logical packet flow is necessary— the foundation established by the Rapid Provisioning and Enhanced packets sometimes need to traverse Intel ONP reference architecture with physical links multiple times. Network Management through collaboration, contributions, and the Service Chaining ...... 4 support of industry consortiums, • Managing L2/L3 packet forwarding. Overcoming Network telecommunications and cloud In enterprise environments, network Infrastructure Weaknesses. . . . 5 providers, Intel® Network Builders, and address translation would modify leading companies involved in open- the IP address. Any modifications Building a High-Performance source projects. to the L2/L3 header can disrupt SDN/NFV Platform ...... 6 consistency in the chain because Traffic Flow through a Service- Technology Challenge: control mechanisms within a flow are Aware NFV Infrastructure . . . . . 7 Realizing the Promise of identified by the header. Dynamic Service Chaining Overcoming Latency for • Managing L4/L7 service processing. Network Function Virtualization Traditionally, network services are Service processing, such as that (NFV) Servers...... 7 implemented in static chains. This performed by application delivery Summary...... 10 can create technical challenges and controllers (ADCs) and WAN introduce network management optimizers often modifies L4 - L7 issues when network functions are operations, which can terminate virtualized. In an environment using some flows and start up others static chains, service functions— unexpectedly. including WAN optimization, load • Orchestration and controller issues. balancing, security, and additional Placement of services must be value-added services—exist in a coordinated. Services that depend rigid path dictated by the hardware on conditions and states to control configuration. Making modifications to operations must use a single path in the components in this path requires both directions. substantial manual intervention. In this type of implementation, data exchanged between communicating peers adds inefficiencies, reduces overall bandwidth, and typically leads to significant numbers of duplicated functions.

2 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

As dynamic service chaining matures, Intel® Open Network Platform Reference Architecture solutions for these challenges are being researched and explored, including the Open Source Software Stack following techniques: Based on ETSI-NFVI Reference Architecture • Coordinating service segments through the SDN controller offers a potential solution currently being OpenStack Cloud OS explored, but it adds complexity to Open Daylight Controller service chain operations.

• Use of a dedicated service chain header can indicate the appropriate Open vSwitch DPDK service path and provide this data to An Open Virtual Switch Open vSwitch the controller to select the optimal path.

• Performing deep packet inspection Linux Fedora OS KVM Hypervisor gives the SDN controller the information to more intelligently handle the packet ordering and flow. Intel® QuickAssist Technology Driver Ongoing work in this area focuses on Intel® Ethernet Drivers: 10 & 40 GbE gaining a better understanding of these service-chaining challenges as new solutions are developed. Industry standard High Volume Server

Intel® Xeon® Intel® Communications Intel® Ethernet Supporting Reference Architecture processor E5 v3 Chipset 89xx Series Controller XL710 Used for the Demonstration Intel ONP is a reference architecture Figure 1 . Software stack and hardware platform for the Intel® Open Network Platform reference architecture, release 1.2. that defines a modular framework for a wide range of SDN and NFV vendor solutions. Virtual appliances from F5, interoperability with Intel ONP, Intel The reference architecture is strongly Riverbed, Brocade, and other vendors submitted optimizations for OpenStack aligned with the NFV architecture have been used as part of the service- and demonstrated compatibility with specifications established by ETSI and chaining demo. OpenDaylight. the guidelines formulated by the Open Platform for NFV* (OPNFV*) project, The software stack for the Intel ONP Hardware components included in the making it possible to achieve greater reference architecture, shown in Figure demo as a part of the implementation interoperability through Intel ONP. 1, runs on the latest Intel® processor: of Intel ONP are the Intel® QuickAssist the Intel® Xeon® processor E5 v3 Adapter 8950 and the Intel® Ethernet A Deeper Look at Service Chaining family. The OpenDaylight* Helium Controller XL710. Other hardware controller and the OpenStack Juno and software configurations are Service chaining within an SDN/NFV platform provide SDN/NFV control supported by the Intel ONP reference environment enables the connection and orchestrations, respectively. The architecture release 1.2 as well. An of network and security services software components in the compute array of validated solutions from the into the flow of network traffic in a node stack are based entirely on open- Intel Network Builders ecosystem dynamic manner, using software and source projects, including the Data (see Figure 2) makes it possible to virtual appliances rather than physical Plane Development Kit (DPDK), Open quickly construct a high-performance appliances. Service-chaining actions vSwitch*, Kernel-based Virtual Machine SDN/NFV solution and to implement are initiated and performed through a (KVM*), and Fedora Linux. To improve versatile service chaining functionality. centralized controller.

3 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

Broad SDN/NFV Ecosystem on Intel Architecture

Network Applications 6WIND*, ADLINK Technology, Inc *,. Advantech Co ., Ltd* Akamai*, Altobridge*, Brocade*, Intel® ONP Server Clavister AB*, Dell*, Emerson*, F5*, Huawei*, Reference Architecture Orchestrator IneoQuest Technologies, Inc *. Kontron*, Link Commercial Analytics*, McAfee*, Procera Networks*, SDN/NFV Qosmos*, Radisys*, Red Hat*, Spirent Solutions Available on Controller Communications*, Trail-f Systems*, Tango www .01 .org Networks*, Tektronix Communications*, The Saguna Networks LTD*, Tieto*, Vantrix*, Node WMware*, Wind River*, and ZTE Corporation* . Trials and Deployments

https://networkbuilders .intel .com

120+ Partners Delivering SDN/NFV Solutions on Intel Architecture

*Other names and brands are the property of their respective owners Figure 2 . Reference architecture components of Intel® Open Network Platform Server.

Support for SDN service chaining Within this model, the administrator Virtual appliances used in the demo relies on a platform upon which the can dynamically adjust traffic routing, make it possible to automate the controller functions are decoupled depending on what types of operations provisioning and scale as required to from hardware and in which the control are taking place with the server— meet operational requirements. The and data planes are separated, and NFV whether it is media distribution, demo includes the following virtual principles are used to substitute virtual handling incoming transactions, or any appliances (but is not limited to these): appliances for proprietary, dedicated other type of operation. • F5® BIG-IP® Advanced Firewall hardware appliances. In the case of The key to the value of service chaining Manager™ (AFM) Virtual Edition the demo discussed in this paper, the is its dynamic aspect—being able platform is based on the Intel ONP • F5® BIG-IP® Local Traffic Manager™ to adjust on-the-fly in response to reference architecture and a collection (LTM) Virtual Edition changing network conditions, rather of components assembled from a than being locked into a static situation. • Riverbed SteelHead* vWAN - number of different vendors. This allows resources to be used more Virtual WAN With dynamic service chaining, all intelligently, which is the true value of • Brocade Vyatta* 5600 vRouter- the applications in the network are having a dynamic service chain. Virtual router working together, rather than having applications residing in individual Rapid Provisioning and Enhanced These virtual applications replace silos. Load balancers can determine Network Management through physical appliances that perform what node a series of packets has Service Chaining the same tasks in the network. The to go through, but traffic has to go SDN/NFV platform can also work in through the router and firewall. The The service-chaining demo uses a combination with existing physical virtual appliances are chained together, number of virtual applications—from appliances that are included as part of rather than having physical appliances several different vendors—running a solution. As more virtual appliances through which the data is flowing. The on a Dell Server with open-source are deployed, the need for manual same virtual appliances may reside components, including Linux, Red Hat configuration and administration on the same server. For example, OpenStack, and the OpenDaylight of physical appliances is reduced. the firewall and router could both be controller. Core components are based Because dynamic service chaining running on the same server. Traffic is on the blueprint provided by the Intel lets administrators adjust operations going to be chained or running through ONP reference architecture, release 1.2. dynamically to changing conditions and the virtual appliances. preset thresholds within the network,

4 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

all virtual appliances are subject to The demo illustrates clearly the ease in inventory and, if not available, must control using automated management which virtual appliances from multiple be ordered from a supplier. The router processes. Routing and traffic flow vendors can be rapidly and efficiently must then be physically moved to the more efficiently as available resources provisioned through the SDN controller location for deployment and configured are enabled or freed for other uses, as and orchestration layer. Network by a technician. This generally requires necessary. management becomes much simpler, manual configuration, setup, and leading to reduced operational costs, testing before the router can be The specific virtual appliances used increased agility, and a lower total cost brought online. If the router hardware in this particular Intel and Red Hat of ownership. Even after the network has to be ordered, the entire process demo are not necessarily fixed. Many is set up and operating, there is no can take weeks or even months to add substitutes exist across a large array need to shut down the system and the router to the network and complete of compatible appliances that work reconfigure the network components the deployment. well with the Intel ONP architecture. to directly plug in any number of virtual For example, plugging in the Qosmos In comparison, as the demo highlights, appliances. Deep Packet Inspection* virtual a virtual appliance can be provisioned application enhances the intelligent Overcoming Network Infrastructure and added to a network service chain in routing capabilities and plugging in the Weaknesses a matter of minutes. Figure 3 shows the McAfee® Network Security Platform Network Topology window within the (NSP) virtual intrusion prevention Managing the traditional network OpenStack administration tab. From system increases the network security. infrastructure today in which this high-level view of the network, Dozens of additional appliances physical devices are used to carry out administrators can configure virtual available from the Intel Network fundamental network services presents appliances and structure the network Builders ecosystem and ISVs extend significant challenges. Consider the topology for effective resource use. capabilities, create value-added steps an IT professional or technician For example, a Create Router button services, and respond to unique must perform to complete basic tasks. provides a means to insert a virtual implementation requirements. For example, to deploy a new router router at a designated position within the hardware must first be located in the network.

Figure 3 . An overview of the network topology from the OpenStack* console.

5 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

Individual virtual appliances within the virtualized environment typically have their own management consoles, providing fine-grained control over the configuration options. For example, Figure 4 shows the management console for accessing the Riverbed SteelHead virtual WAN capabilities, supporting consolidation of servers in a virtual environment. Tabs within the console enable an administrator to set limits for CPU usage, set alarms, perform diagnostics, and configure settings.

Figure 4 . Management console for Riverbed Steelhead* VCX.

Virtual appliances eliminate the need to were difficult to develop and deploy, within OpenStack, the administrator manually provision physical hardware, because of the complicated mix of can configure those vendor virtual providing the following advantages: vendor configurations and capabilities. application resources (such as the The Intel ONP reference architecture virtual appliances from F5, Riverbed, • Improved efficiency in network will open opportunities for service Brocade, and Qosmos). performance through intelligent chaining using SDN/NFV on networks routing and better use of resources The OpenDaylight component by delineating the hardware and configures the controller that manages • Better scalability by controlling software components that, together, the flow between the virtual machines, platform access to server resources constitute the necessary network enabling the primary network efficiency through virtual components deployed infrastructure and support for the benefits. The readily available as network demands vary virtualized functionality. open-source tools to configure the • Fluid provisioning through automation Building a High-Performance SDN/ environment make it possible to freely based on presets and defined NFV Platform deploy virtual appliances from a large thresholds array of vendors, rather than being The use of Red Hat OpenStack as locked into a single provider. • Increased agility through centralized the cloud-computing platform in the management demo provides considerable flexibility The contribution from the Intel ONP reference architecture is stability and Before standards and reference in creating a network environment interoperability through the use of architectures were developed to suitable for showcasing SDN service pre-tested components that have been provide the foundation to integrate chaining. OpenStack lets users shown to work together effectively. services for SDN/NFV across the span create VMs on available hosts and When customers request servers of network layers, these technologies connect networks in accordance with whatever plan IT has in effect. From based on the Intel ONP reference

6 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

architecture, they know the resulting solution will provide them with a Overcoming Latency for high-performance SDN/NFV platform Network Function Virtualization (NFV) Servers that takes advantage of engineering advances, such as the DPDK ensuring Typical NFV server solutions are not well suited for data plane processing that packet flow through the server will applications. Packet latency is a critical problem due to the way the routing be optimized for high performance. A is handled, with the virtual infrastructure and virtualized data plane sending server that is not based on Intel ONP packets needlessly through the operating system, hypervisor, and processor. reference architecture is unlikely to This inefficient routing negates many of the benefits inherent in the technology. achieve the same performance levels. The Data Plane Development Kit (DPDK) Accelerated Open vSwitch*, Major computer equipment an ingredient in the Intel® Open Network Platform reference architecture, manufacturers, including HP and provides software enhancements to improve packet processing. Processing Dell, have built server solutions time is saved in the following ways: around the Intel ONP reference • Using core affinity architecture. These solutions have been tuned and optimized for the • Disabling interrupts generated by packet I/O; instead a Poll Mode unique system characteristics and Driver is used hardware components referenced in • Enforcing cache alignment the architecture blueprint. • Prefetching Traffic Flow through a Service- • Implementing large-scale pages to minimize cache misses Aware NFV Infrastructure DPDK libraries and drivers are available as open-source code at The demo of a complete service-aware www .01 .org for the use of developers who want to enhance and NFV infrastructure from Red Hat, Intel, accelerate software-based packet processing. and multiple virtual appliance vendors shows enhanced service chaining and reduced costs through intelligent traffic routing. network and controlling traffic flow into To provide a better sense of the traffic the data network and other networks. flow, Figure 5 illustrates the sequence As shown earlier in Figure 3, The fact that traffic flow can be that takes place when a request for OpenStack provides a graphical handled fluidly in the virtual mode—by multi-media content takes place. view of the components in the modifying router configurations and network infrastructure. This view 1. User requests multi-media content network topology—is the reason this shows individual networks, virtual on a server. technology works so well for service appliances, compute nodes, and chaining. Operations are structured 2. The request is routed to the firewall. other characteristics of the virtualized around the most efficient paths and environment. The lines shown in 3. The firewall approves the request sequences available, making it possible Figure 5 represent a conceptual view and lets it through. to configure the network intelligently to of the traffic flow through the network optimize traffic flow. 4. The request goes to the load (colors and appearance differ from the balancer, which determines the OpenStack console view). The key point Unlike a physical network configured optimal server to handle it. In this to remember is that OpenStack lets with physical devices, OpenStack example, it is the Apache server. administrators add networks, virtual allows the administrator to visualize appliances, and compute resources, as the network structure on screen and 5. The requested content is located well as make changes to the network determine the optimal deployment and on the server. topology directly from the console— provisioning of virtual components on relying on virtualized components. any selected portion of the available For example, the box in Figure 5 that networks. All network configurations resembles an “x” represents a virtual are managed through the console and router—the Brocade Vyatta 5600 implemented without ever having to vRouter—residing on the public touch a physical device.

7 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

HTTP Request

F5 BIG-IP The Application Performance Company™ Advanced Firewall F5 BIG-IP Local Traffic SteelHead Vyatta 5600 Manager Virtual Edition Manager Virtual Edition Virtual WAN Virtual Router Second Management Network Management Network Sequence External Client Data Network Data

1 192.168.88.0/24 192.168.55.0/24 192.168.33.0/24 192.168.10.0/24 192.168.45.0/24 192.2.125.0/24 Private 2 Public 3 4

Figure 5 . The sequence of handling an HTTP request.

8 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

The HTTP response, shown in Figure 6, follows this sequence: 1. The content is located on the server. 2. The content is delivered back to the user.

HTTP Response

The Application Performance Company™ SteelHead Vyatta 5600 F5 BIG-IP Advanced F5 BIG-IP Local Traffic Virtual WAN Virtual Router Firewall Manager Virtual Edition Manager Virtual Edition Second Management Network Management Network Sequence External Client Data Network Data

1 192.168.88.0/24 192.168.55.0/24 192.168.33.0/24 192.168.10.0/24 192.168.45.0/24 192.2.125.0/24 Private 2 Public 3

Figure 6 . The sequence of handling an HTTP response.

9 Going Virtual: Intel and Red Hat Demonstrate SDN Service-Chaining Solutions

“Service providers are likely Summary closer to recognizing that The new foundation being established for dynamic service chaining builds on the technologies that underlie SDN and NFV. The blueprint offered by the Intel technologies like service Open Network Platform Server reference architecture provides a commercially chaining are as much about viable way—based on SDN—to create catalogs of network resources and associated policies abstracted from the hardware. Dynamic service chaining orchestrating a business extends this concept and uses the SDN framework to automatically optimize the process as they are about number and sequence of service functions required to control traffic intelligently across the network. how to direct traffic around The service chain demo based on Intel ONP reference architecture helps solve many a network. Service chaining of the challenges in setting up service chaining and controlling traffic routing. As allows the network to grow shown in the demo, the combination of Red Hat OpenStack, a platform powered by an Intel Xeon processor-based server, OpenDaylight, and multi-vendor virtual up and really participate in appliances greatly simplified many of the most difficult challenges of service chaining business processes.”1 and created an environment where dynamic resource allocation and centralized control functions add efficiency and cost savings to operational workloads. – Lori MacVittie, DevOps Journal

Learn more about the Intel® Open Network Platform: www .intel .com/ONP

Download the Intel Open Network Platform Server Reference Architecture for NFV and SDN: www .01 org. Learn more about Intel Network Builders: https://networkbuilders .intel .com/

1 MacVittie, Lori (2014). “Service Chaining Is Business Process Orchestration in the Network,” DevOps Journal. http://devops.sys-con.com/node/3036678 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WAR- RANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined.” Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents, which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s Web site at www.intel.com. Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. Go to: Learn About Intel® Processor Numbers *Other names and brands may be claimed as the property of others. Copyright © 2015 Intel Corporation. All rights reserved. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and other countries. 0515/NU/MESH/PDF 332521-001US