Tailf:Cli-Enforce-Table
Total Page:16
File Type:pdf, Size:1020Kb
Virtualize Your Enterprise Through Network Function Virtualization Cloud Technologies Jim French, Distinguished System Engineer, CCIE, CISSP [email protected] https://www.linkedin.com/in/frenchjp Enterprise NFV Agenda • NFV Requirements • Software Components • Hardware Components • Use Cases and Solutions • Putting IT Together 3 Network Function Virtualization Agenda • NFV Requirements • Use Cases • Fog / Edge / Branch • NFV Approach • Data Center • Software Components • Cloud / Shared Hosting • Linux KVM Hypervisor • Extranet • Service Function Chaining SFC • Solutions • Tail-f Confd • Cloud Services Platform CSP • Openstack* • vBranch • Elastic Services Controller ESC • Extranet • Network Services Orchestrator NSO • Virtual Managed Services VMS* • Hardware Components • Security Firepower 9300* • Fog/Edge/Branch NFV • Putting IT Together • Data Center NFV 4 Network Function Virtualization Abbreviations • BMA Bare Metal Agent • NFV Network Function Virtualization • CSP Cloud Services Platform • ODL Open Daylight Controller • CSR Cloud Services Router • PnP Plug and Play • OSC Open SDN Controller • SDN Software Defined Network • XRV IOS XR Virtual • SFC Service Function Chaining • VTS Virtual Topology System • VNF Virtual Network Function • VPP Vector Packet Processing • REST Representational State Transfer 5 Network Function Virtualization Requirements 6 Requirements Varied and Dynamic Enterprise Interactions Publishing Access Hosting User Device User Access Application Data Location Location Location Private Private Data Employee VDI Campus Leased Line NAS/SAN, Center DB SaaS Partner Data Partner PC Branch MPLS dedicated Center storage SaaS Increasing growth Decreasing Trust Decreasing Dedicated Vendor Mobile Home IPSec VPN integrated Hosting store Cloud Customer Thing Anywhere SSL/TLS Shared Client stored Hosting 7 Requirements Quickly & Securely Consume Resources and Capabilities Business Problems Architectures (Simplification Candidates) Create, Deploy, Operate, and Retire Workflows: Workflows • Places - Branch / Data Center / DMZ • People - Employee / Partner / Customer • Things - Device / Sensor / Camera / Etc Repeatable Workflows/Profiles • Applications – SAAS, IAAS / COTS, client/server • Collaboration – Meetings / Events Common Workflows Tasks Things to fix & Identify choke points achieve Simplification Operationally http://www.frenchjim.com/2015/10/the-b4b-red-pill-to-move-from-offering.html New Capabilities 8 Requirements Non-Default Policy Application Deployment Challenge Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party • Users, branches, extranetWOC partners,FW and applications change frequently QoS DNS Class Class ADC Monitor vSwitch • Many requirePolicy non-default experience, security, scale, or monitor • Complex Policy Policy services Class WCCP Route Span • Costly Client • NonDNS-default policy programmingVLAN is frequent, costly, and error pronevPath Server • InteractionsMap depend Redirecton many network servicesSNAT VACL • Error prone • Network services areTraditional from many different Network vendors • Never remove policies DCNM • Not secure 9 Requirements Non-Default Policy Application Deployment Challenge Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure 10 Requirements Non-Default Policy Application Deployment Challenge Application Owner Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure 11 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure DC Network Admin 12 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure DC Network Admin 13 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Policy Configure Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure DC Network Admin 14 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Policy Configure Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure Scale 15 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Policy Configure Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network • Never remove policies DCNM • Not secure Scale 16 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Policy Configure Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party Auto has ~10,000WOC applicationsFW with ~10 year lifespan QoS DNS 1000 applicationsClass deployedClass & ADCretired perMonitor year vSwitch • Complex Policy ~10 applications/weekPolicy programmedPolicy and unprogrammed (20% Class WCCP Route Span • Client DNS are non-default behavior) Server Costly Map Redirect VLAN SNAT VACL vPath CLI never intended to provide frequent policy change • Error prone Traditional Network Change control can’t keep up! • Never remove policies DCNM • Not secure Scale 17 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin Policy Configure Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party • Users,Auto branches, has ~10,000 extranetWOC applications partners,FW and withapplications ~10 year change lifespan frequently QoS DNS Class Class ADC Monitor vSwitch • Many require1000Policy non applications-default experience, deployed security, & retired scale, per or yearmonitor • Complex Policy Policy ~10services applications/week programmed and unprogrammed (20% Class WCCP Route Span • Client • NonDNS-default policy programmingare non-default is frequent, behavior) costly, and error prone Server Costly Map Redirect VLAN SNAT VACL vPath • InteractionsCLI never depend intended on many to networkprovide services frequent policy change • Error prone Traditional Network • Network services Changeare from manycontrol different can’t vendorskeep up! • Never remove policies DCNM • Not secure Scale 18 DC Network Admin Insert, Chain, Requirements Where Are The Virtualizable Infrastructure Functions? Mirror App WAN Web DB Client Internet VM Servers Client / DMZ Data Center or Cloud Application Application Access Chain /Tenant Access Chain Access Chain Interaction Chain • Client Access Chains are on the perimeter of the access network • Data center or Tenant Chains reside on the WAN or Internet edge of the data center • Application Access Chains are in the server farm core with north/south traffic • Application Interaction Chain is in the server farm access with east/west traffic 19 Network Function Virtualization Approach 20 Network Function Virtualization Building Blocks . Hosting Nodes . Transport Nodes . Service Node (Aka VNF) – WAN Optimization – UCS B-series – NX-OS . Nexus 9/7/6/5/3/2/1K Controllers (WOC) - WAAS – UCS C-series – Security – IOS XE . Firewall - ASA – UCS M-series . ASR . NextGen Firewall - FirePower . CSR – UCS Express – Application Delivery . Catalyst 4500 Controller (ADC) – CSP-2100 . ISR 4400 – Application Performance – ISA 3000 – IOS XR Monitoring (APM) -NAM . ASR 9000 – Secure Web Gateways - . XRV WSA – IOS – Content Delivery Network – . Catalyst 2/3/6K VDS-IS . ISR – Application Components 21 Network Function Virtualization Service Nodes Contain One or More Service Functions • Transport • Security • Infrastructure