Virtualize Your Enterprise Through Network Function Virtualization Cloud Technologies Jim French, Distinguished System Engineer, CCIE, CISSP [email protected] https://www.linkedin.com/in/frenchjp Enterprise NFV Agenda
• NFV Requirements
• Software Components
• Hardware Components
• Use Cases and Solutions
• Putting IT Together
3 Network Function Virtualization Agenda
• NFV Requirements • Use Cases • Fog / Edge / Branch • NFV Approach • Data Center • Software Components • Cloud / Shared Hosting • Linux KVM Hypervisor • Extranet • Service Function Chaining SFC • Solutions • Tail-f Confd • Cloud Services Platform CSP • Openstack* • vBranch • Elastic Services Controller ESC • Extranet • Network Services Orchestrator NSO • Virtual Managed Services VMS* • Hardware Components • Security Firepower 9300* • Fog/Edge/Branch NFV • Putting IT Together • Data Center NFV
4 Network Function Virtualization Abbreviations
• BMA Bare Metal Agent • NFV Network Function Virtualization
• CSP Cloud Services Platform • ODL Open Daylight Controller
• CSR Cloud Services Router • PnP Plug and Play
• OSC Open SDN Controller • SDN Software Defined Network
• XRV IOS XR Virtual • SFC Service Function Chaining
• VTS Virtual Topology System • VNF Virtual Network Function
• VPP Vector Packet Processing
• REST Representational State Transfer
5 Network Function Virtualization Requirements
6 Requirements Varied and Dynamic Enterprise Interactions Publishing Access Hosting User Device User Access Application Data Location Location Location Private Private Data Employee VDI Campus Leased Line NAS/SAN, Center DB SaaS Partner Data Partner PC Branch MPLS dedicated Center storage
SaaS Increasinggrowth
Decreasing Trust Decreasing Dedicated Vendor Mobile Home IPSec VPN integrated Hosting store Cloud Customer Thing Anywhere SSL/TLS Shared Client stored
Hosting 7 Requirements Quickly & Securely Consume Resources and Capabilities
Business Problems Architectures (Simplification Candidates) Create, Deploy, Operate, and Retire Workflows: Workflows • Places - Branch / Data Center / DMZ • People - Employee / Partner / Customer • Things - Device / Sensor / Camera / Etc Repeatable Workflows/Profiles • Applications – SAAS, IAAS / COTS, client/server • Collaboration – Meetings / Events Common Workflows Tasks Things to fix & Identify choke points achieve Simplification Operationally http://www.frenchjim.com/2015/10/the-b4b-red-pill-to-move-from-offering.html New Capabilities 8 Requirements Non-Default Policy Application Deployment Challenge
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
• Users, branches, extranetWOC partners,FW and applications change frequently QoS DNS Class Class ADC Monitor vSwitch • Many requirePolicy non-default experience, security, scale, or monitor • Complex Policy Policy services Class WCCP Route Span • Costly Client • NonDNS-default policy programmingVLAN is frequent, costly, and error pronevPath Server • InteractionsMap depend Redirecton many network servicesSNAT VACL • Error prone • Network services areTraditional from many different Network vendors
• Never remove policies DCNM
• Not secure
9 Requirements Non-Default Policy Application Deployment Challenge
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure
10 Requirements Non-Default Policy Application Deployment Challenge Application Owner
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure
11 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure
DC Network Admin 12 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure
DC Network Admin 13 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual
Admin Admin Admin Admin Admin Admin Admin
Policy Configure
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure
DC Network Admin 14 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual
Admin Admin Admin Admin Admin Admin Admin
Policy Configure
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure Scale
15 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual
Admin Admin Admin Admin Admin Admin Admin
Policy Configure
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network
• Never remove policies DCNM
• Not secure Scale
16 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual
Admin Admin Admin Admin Admin Admin Admin
Policy Configure
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
Auto has ~10,000WOC applicationsFW with ~10 year lifespan QoS DNS 1000 applicationsClass deployedClass & ADCretired perMonitor year vSwitch • Complex Policy ~10 applications/weekPolicy programmedPolicy and unprogrammed (20% Class WCCP Route Span • Client DNS are non-default behavior) Server Costly Map Redirect VLAN SNAT VACL vPath CLI never intended to provide frequent policy change • Error prone Traditional Network Change control can’t keep up! • Never remove policies DCNM
• Not secure Scale
17 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual
Admin Admin Admin Admin Admin Admin Admin
Policy Configure
Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party
• Users,Auto branches, has ~10,000 extranetWOC applications partners,FW and withapplications ~10 year change lifespan frequently QoS DNS Class Class ADC Monitor vSwitch • Many require1000Policy non applications-default experience, deployed security, & retired scale, per or yearmonitor • Complex Policy Policy ~10services applications/week programmed and unprogrammed (20% Class WCCP Route Span • Client • NonDNS-default policy programmingare non-default is frequent, behavior) costly, and error prone Server Costly Map Redirect VLAN SNAT VACL vPath • InteractionsCLI never depend intended on many to networkprovide services frequent policy change • Error prone Traditional Network • Network services Changeare from manycontrol different can’t vendorskeep up! • Never remove policies DCNM
• Not secure Scale
18 DC Network Admin Insert, Chain, Requirements Where Are The Virtualizable Infrastructure Functions? Mirror App WAN Web DB Client Internet VM Servers
Client / DMZ Data Center or Cloud Application Application Access Chain /Tenant Access Chain Access Chain Interaction Chain
• Client Access Chains are on the perimeter of the access network
• Data center or Tenant Chains reside on the WAN or Internet edge of the data center
• Application Access Chains are in the server farm core with north/south traffic
• Application Interaction Chain is in the server farm access with east/west traffic
19 Network Function Virtualization Approach
20 Network Function Virtualization Building Blocks
. Hosting Nodes . Transport Nodes . Service Node (Aka VNF) – WAN Optimization – UCS B-series – NX-OS . Nexus 9/7/6/5/3/2/1K Controllers (WOC) - WAAS – UCS C-series – Security – IOS XE . Firewall - ASA – UCS M-series . ASR . NextGen Firewall - FirePower . CSR – UCS Express – Application Delivery . Catalyst 4500 Controller (ADC) – CSP-2100 . ISR 4400 – Application Performance – ISA 3000 – IOS XR Monitoring (APM) -NAM . ASR 9000 – Secure Web Gateways - . XRV WSA – IOS – Content Delivery Network – . Catalyst 2/3/6K VDS-IS . ISR – Application Components
21 Network Function Virtualization Service Nodes Contain One or More Service Functions
• Transport • Security • Infrastructure Services • Routing / VRF • Firewall (L2-4) • Voice/video • Bridging • NextGen Firewall (L3-7) • Directory • Virtual gateway • DDoS • DNS • VPN • IDS / IPS • NAS • Antivirus (AV) • Lifecycle manager • Experience • Data Leakage Prevention • QoS (DLP) • Applications • Deep packet inspection • Anti-Malware Protection • Business applications • WAN optimization • Content Filtering • IOT • Caching of files/objects • User / Device AAA • Analytics • Application Response Time • Network Auth 802.1x • Etc. (ART) • Segmentation Tags • Netflow • Performance Routing
22 Network Function Virtualization Service Nodes Implement Fixed Service Function Orders Inside to Outside IOS 12.4(T) Outside to Inside IOS 12.4(T) If IPSec then check input ACL If IPSec then check input ACL Decryption (CET or IPSec) Decryption (CET or IPSec) Check input ACL Check input ACL Check input rate-limit Check input rate-limit Input accounting Input accounting Policy Routing1 NAT outside to inside Routing Policy Routing WCCP Redirect IN Routing NAT inside to outside WCCP Redirect OUT Crypto (check map and mark for encr) Crypto (check map and mark for encr) Inspect (CBAC) / IOS FW Inspect CBAC TCP Intercept TCP Intercept Encryption Encryption Queuing Queueing
23 Network Function Virtualization Service Node Standard Interface Meta Data
• Service Node • Form Factors • Performance • Vendor • Physical • DPDK • Product • ESX • SR-IOV • Category • KVM • PCI Pass Through • Hyper-V • VirtIO • Place • Xen • Branch / Store / Bank • Amazon AMI • Data Center • LXC / Docker Container • Cloud / Service Provider / Data Center • Carrier Transit Data Center PoP / CO
24 Network Function Virtualization Service Node Standard Interface Meta Data (Cont'd)
• Service Insertion • Programmability • Config Controller Support • Type • CLI / SSH • APIC Opflex • GoThrough Bridged • SNMP • APIC Device Package • GoThrough Routed • GUI HTTPS • APIC-EM • GoTo VIP / Loopback • CopyTo • REST API • ODL • Encapsulation • OpenFlow • Life Cycle Manager • VLAN • Netconf / Restconf / Yang • ESC • VXLAN • Integrated Confd • NSH • ESC-lite / VBO • NCS Tail-f Ned • Clusters • Grapevine • Ubuntu / RHEL Openstack • WCCP • AppNav ML2 plugin • vPath 2.0 • SFC
25 Network Function Virtualization Design Planning Questions
• If I start with a controller, what VNFs are available to me?
• If I start a hypervisor, what VNFs are available to me?
• If I have a specific VNF, what controllers are available?
• If I require high performance, what VNFs support VirtIO, DPDK, Cavium?
• If I deploy in the branch, which are intended for edge use?
• If I prefer REST API interfaces, which VNFs are compatible?
• If I want to use Network Service Header NSH chaining, what VNFs area available to me?
26 Network Function Virtualization Standard Interfaces For Flexibility & Reduced Complexity
Validated Designs
Function Virtualization 27 Network Function Virtualization IOS SDN Is Simply Agent Based Management Android • 1993 – PCs transition from console to agent management • 2001 – Wireless Access Points AP adopt agent management Client • 2004 – Servers transition from console to agent management PC • 2007 – Google Android and Apple IOS adopt cloud agent based management to achieve unprecedented growth • 2015 – Network devices transition from console to agent Wireless management Network • Support staff grows with device growth until agent based
management is adopted NumberDevices of
Client Server Agent AP Agent Server Opflex Wired Agent Meraki Netconf Agent Network agent Yang Mobile Agent 1980 1985 1990 1995 2000 2005 2010 2015 2020
http://www.frenchjim.com/2015/07/sdn-is-simply-agent-based-management.html 28 Network Function Virtualization State of the Industry
• CPU Virtual Technology VT enablement
• KVM viable hypervisor
• Physical network appliances widely available on ESXi and more recently KVM
• Agent-based orchestration (Netconf/Yang, Puppet, Chef, Ansible, OpFlex, Etc.)
• Adoption of x86 crypto and encap offload cards when needed
• Performance improvements in virtual switching (VPP and OVS user space)
• IETF standardized service chaining imminent
• Physical Linux appliances commonly have kernel mods to too early for containers
29 Software Components Linux KVM Configuration Daemon (Confd) Openstack* Elastic Services Controller (ESC) Network Services Orchestrator (NSO) Portal
30 Linux KVM
31 Linux KVM Hypervisor
• A hypervisor or Virtual Machine Monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.
• Allows multiple instances of a variety of operating systems may share the virtualized hardware resources.
• Type-1: native or bare-metal hypervisors - run directly on the host's hardware (VMware ESXi, Microsoft Hyper-V, Citrix XenServer)
• Type-2: hosted hypervisors - just like a regular app on OS (VMware Workstation/Fusion, VirtualBox)
32 Linux KVM http://qemu.org QEMU (Quick EMUlator)
• Generic and open source machine emulator and virtualizer
• As emulator, QEMU can run OSes and programs made for one architecture (e.g ARM) on a different machine (e.g. x86) by using dynamic binary translation
• As virtualizer, QEMU executes the guest code directly on the host CPU - achieved by complex software techniques, necessary to compensate for the processor's lack of virtualization support
• Single-threaded Linux process
33 Linux KVM http://www.linux-kvm.org Kernel-based Virtual Machine
• Virtualization infrastructure for the Linux kernel that turns it into a Hypervisor
• Linux infrastructure reuse (scheduler, MM, I/O, networking, logs...)
• Kernel module in Linux kernel mainline since 2.6.20 (2006) • Provides interface for Intel VT-x or AMD-V • Executes guest code • Handles performance critical operations
• Userspace binary (kvm, qemu-kvm, qemu-system-x86_64...) • fork of QEMU • Set up VM and I/O devices • Execute guest code via KVM kernel module • I/O emulation
34 Linux KVM QEMU-KVM from Linux Perspective
guest memory guest memory guest memory (seen as physical memory) (seen as physical memory) (seen as physical memory)
Userspace vcpu0 vcpu1 iothread vcpu0 vcpu1 iothread vcpu0 vcpu1 iothread qemu-kvm qemu-kvm qemu-kvm
/dev/kvm Kernel scheduler kvm-kmod
35 Linux KVM KVM Features
• i386 and x86_64 UniProcessing and Symmetric Multi-Processing SMP guests
• Runs Linux, Windows, and many other OSs
• PCI pass-through for performance
• ParaVirtualized I/O VirtIO
• Live migration including block migration
• Snapshot save/resume
• Guest swapping and memory deduplication
36 Linux KVM Qemu-KVM Command Line Example /usr/bin/kvm -S -M pc-1.0 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name jumphost-ikovacev-Win7 -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/jumphost-ikovacev- Win7.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control - rtc base=localtime -no-shutdown -drive file=/var/lib/libvirt/images/jumphost- ikovacev-Win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio- disk0,bootindex=2 -drive file=/var/lib/libvirt/iso/en_windows_7_ultimate_x64_dvd_x15- 65922.iso,if=none,media=cdrom,id=drive-ide0-0-0,readonly=on,format=raw - device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 - netdev tap,fd=18,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:a7:28:7e,bus=pci.0,addr=0x3 - chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -usb - device usb-tablet,id=input0 -vnc 0.0.0.0:763 -vga std -device virtio-balloon- pci,id=balloon0,bus=pci.0,addr=0x5
37 Linux Networking
38 Linux Networking TAP and veth
• TAP = standard Linux device driver for creating L2 interfaces. Primarily used for allowing user-space programs to “inject” packets into Linux network stack. ip tuntap add dev eth0 mode tap
• veth = standard Linux device driver for creating L2 pipes (pair of linked Ethernet devices) ip link add veth0 type veth peer name veth1
39 Linux Networking Ethernet Bridge
• Part of Linux kernel networking stack qemu qemu • Simple “unmanaged” switch with basic STP support (no VLANs) OS OS • Packets switched by kernel based on mac address table nic nic
• Administered by brctl tool (config not persistent) tap0 tap1 • In context of virtualization can be used to provide network access to VMs br0
eth0
host
40 Linux Networking brctl usage brctl help brctl addbr br0 brctl addif br0 eth0 brctl show [br0] bridge name bridge id STP enabled interfaces br0 8000.64122536573a no eth0 vnet0 vnet1 brctl showmacs br0 port no mac addr is local? ageing timer 1 00:00:5e:00:01:dc no 0.03 1 00:2a:6a:bd:48:01 no 18.56 1 00:2a:6a:c4:46:01 no 1.31 2 52:54:00:a7:28:7e no 0.00 ... brctl showstp br0 eth0 (1) port id 8001 state forwarding designated root 8000.64122536573a path cost 4 designated bridge 8000.64122536573a message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.08
41 Linux Networking Network Namespaces
• Linux kernel feature for isolating the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc.
• Similar to VRFs on Cisco IOS ip netns add
42 Linux Networking veth + netns + br ip netns add ns1 ip netns add ns2 brctl addbr br-test ip link add tap1 type veth peer name br-tap1 ip link set tap1 netns ns1 brctl addif br-test br-tap1 ip link add tap2 type veth peer name br-tap2 ip link set tap2 netns ns2 brctl addif br-test br-tap2 …
43 Linux Networking http://openvswitch.org Open vSwitch
• Open source implementation of a distributed virtual multilayer switch
• Main purpose is to provide a switching stack for hardware virtualization environments
• Merged into the Linux kernel mainline in kernel version 3.3
• Features: . VLANs with trunking, LACP, port-channels . STP, BFD . QoS, traffic policing . NetFlow, SPAN, RSPAN . traffic tunneling via GRE, VXLAN, IPsec . kernel space and user space forwarding . OpenFlow
44 Linux Networking OVS Packet Forwarding
• Decision about how to process packet made in userspace
• First packet of new flow goes to ovs-vswitchd, following packets hit cached entry in kernel
The Fast Data Project – Vector Packet Processing https://fd.io/ 45 Linux Networking ovs-vswitchd
• Core component in the system: . Communicates with outside world using OpenFlow . Communicates with ovsdb-server using OVSDB protocol . Communicates with kernel module over netlink . Communicates with the system through netdev abstract interface
• Supports multiple independent datapaths (bridges)
• Packet processing order: 1. Packet received from kernel 2. Classifier module to look for matching flows and accumulates actions 3. Prior to 1.11, an exact match flow is generated with the accumulated actions and pushed down to the kernel module (along with the packet) 4. After 1.11 it is possible to push wildcards to kernel module (megaflows)
46 Linux Networking OVS Kernel Module
• Handles switching and tunneling
• Designed to be fast and simple (fast cache) . Packet comes in, if found, associated actions executed and counters updated. Otherwise, sent to userspace . Does no flow expiration . Knows nothing of OpenFlow
• Packet processing order: 1. Packet arrives and header fields extracted 2. Header fields are hashed and used as an index into a set of large hash tables 3. If entry found, actions applied to packet and counters are updated 4. If entry is not found, packet sent to userspace and miss counter incremented
47 Linux Networking OVS Utilites
• ovs-vsctl : Configures ovs-vswitchd, but really a high-level interface for database
• ovsdb-tool : tool for managing database file
• ovs-ofctl : configure and query OpenFlow module
• ovs-appctl : utility for configuring and querying Open vSwitch daemons
http://openvswitch.org/support/ 48 Linux Networking ovs-vsctl
• ovs-vsctl show
• ovs-vsctl add-br
• ovs-vsctl list-br
• ovs-vsctl add-port
• ovs-vsctl list-ports
• ovs-vsctl list TBL [REC]
• ovs-vsctl set TBL REC COL[:KEY]=VALUE
49 Linux Networking http://libvirt.org libvirt
• Open source toolkit to interact with the virtualization capabilities of various hypervisors (KVM, QEMU, ESXi, Xen...)
• Incorporates API, daemon and management tool
• Used by OpenStack, virt-manager...
• Config is stored in XML files at /etc/libvirt/qemu/
• virsh: front-end CLI
• python API is available
• domain = VM
55 Linux Networking network XML for OVS
59 Linux Networking virsh - virtualization shell
• virsh help
• virsh list [--all]
• virsh start/destroy/reset
• virsh define/create/undefine
• virsh edit
• virsh dumpxml
• virsh net-list [--all]
• virsh net-* * = same as for domain
• virsh domblklist
60 Linux Networking http://virt-manager.org virt-manager
61 Linux Networking virt-install virt-install \ --name=Win7 \ --ram=2048 \ --vcpus=2 \ --noautoconsole \ --os-type=windows \ --os-variant=win7 \ --disk path=/var/lib/libvirt/images/Win7.qcow2,format=qcow2,device=disk,bus=ide \ --disk path=/var/lib/libvirt/iso/Win7.iso,device=cdrom,perms=ro \ --boot=cdrom,hd \ --network network=br-eth1,model=e1000 \ --graphics vnc,listen=0.0.0.0,port=6663 \ --import \ --noreboot
62 Planned Service Function Chaining SFC with Network Service Header NSH
64 Service Function Chaining Current Hypervisor Edge Application Service Chaining • Server farm service insertion is easy VNF VNF VNF API #1 #2 #3 Agent vPath 2.0 vPath vPath 2.0 • Traffic is destined for virtual ClientC ClientC ClientC machine through virtual switch Nexus 1000v or Vmware DVS VMware vSphere • One way in and one way out Memory CPU Storage Network • vSwitch captures bidirectional flows destined for virtual machine and can redirect to service node anywhere APP APP APP API #1 #2 #3 Agent • In path in middle of network service insertion is not trivial NexusS 1000v or Vmware DVS because there are multiple paths VMware vSphere • VMware DVS requires Memory CPU Storage Network
65 Service Function Chaining vPath 2.0 to NSH Non-Participant Service • IETF draft Network Services Header is missing a control plane VNF VNF VNF API #1 #2 #3 Agent • 18 month investment to add redirection C C C C C C client to a service node S S vPathS S2.0 SServerS
• vPath 3.0 control plane KVM • Agentless vPath 3.0 supports any Memory CPU Storage Network service node, on any VEM, anywhere • Per service symmetric scale out
• KVM based VNF VNF VNF API #1 #2 #3 Agent • Potential future container compatible C C C C C C • Simplified operations NexusS S 1000vS vPathS 3.0S ClientS & Server
• Reduced subnet and IP address KVM consumption • Reduced VLAN management Memory CPU Storage Network
66 Service Function Chaining Network Service Header (NSH) • IETF draft NSH encapsulation ASA WAAS CSR API • Participant service offers enhanced #1 #2 #3 Agent classification and segmentation rd C C C C • Non-participant offers support for any 3 S S S vSwitchS S S party service via traditional VLAN or VXLAN KVM
• Cisco NSH control planes Memory CPU Storage Network • OVS Client Server • Nexus 1000v VEM with VSM* LAN WAN • Benefits ASA WAAS CSR API #1 #2 #3 Agent • Simplified ordering of services across places • Simplified IP Address Management (IPAM) C vSwitchC S S • Per service high available and symmetric scale out KVM Memory CPU Storage Network
67 Configuration Daemon Tail-f Confd
68 Confd Configuration Daemon
Traditional Stovepipe Approach Confd Approach
• Custom engineering • Open source
• Extraordinary effort • Minimal effort • Single source of truth across • Inconsistent across interfaces interfaces
69 ConfD Configuration and Operational State Abstraction
• Management agents: NETCONF, SNMP, CLI, and Web
• Management backplane provides hierarchical view of config and statistics data through Management API
• Management database may be integrated CDB distributed XML or external
70 Elastic Services Controller (ESC) Lifecycle Management
71 Elastic Services Controller ESC Management Functions
• Agentless VNF management (Any Vendor, Any Application, Any VNF) onboard • VNF lifecycle management (Create, Read, Delete)
• VNF Day0 configurations VNF/VM deploy undeploy • VM and service monitoring
• VNF Auto-healing, recovery Elastic Services • Service elasticity Controller update (ESC) monitor • VNF license management
• Multi-VIM Infrastructure support
• End to End customization support for VNF operations Healing / fault- scale • Transaction resume and rollback recovery
• Coupled VNF management (VM Affinity/Anti-affinity, startup order, VM interdependency )
• Service Advertisement
72 Elastic Service Controller Components
NSO Programmable Interface to ESC allows Functional Interaction to ESC Subcomponents. Allows Modular Communication API Confd with NSO. VM Provisioning & Data Model Driven. Configuration Module
Elasticity Affinity Rules and Scale Requirements for the VNF Scale OpenStack Rules Engine components. Also Service Up/Down manages the startup Provisioning Public Clouds sequences. Day 0 Config Service Monitor Ganglia Custom ESC uses SNMP multidimensional approach to VNF VNS Bring-up & Initial Elastic Services Controller DHCP Monitoring/Restartability Configuration (ESC) Application. Custom Multi-vendor Support.
73 Elastic Services Controller VNF Lifecycle Management – Monitoring & Elasticity Elastic Services Controller
VNF VNF VNF Monitor Analytic Engine Rule Engine Provisioning Configuration
Provision Configure Service Custom Script VM Service Predefined Action Overloaded/Underloaded Action VM Bootstrap VM Service Bootstrap Service VM Custom Script Service Predefined Action process alive Process alive Overloaded/Underloaded Action Functional Custom Script Predefined Action Service DEAD Action Custom Script Predefined Action Predefined Action Predefined Action VM DEAD Action Custom Script Custom Script Action Action List of Events List of Actions Simple Rules Complex Rules Service Alive => • Notify (callback) Service Alive => Advertise, Notify • VM Alive advertise • Service Alive • Advertise Service • Withdraw Service VM Dead => • Upper load threshold crossed Upper load => Scale up, Notify, Advertise • Lower load threshold crossed • Restart VM withdraw • Service Dead • Scale up (add a VM) Upper load => scale • VM Dead • Scale down (remove a VM) Service Dead => Withdraw, Notify, Restart • Individually customizable up action(s) for every event
74 Elastic Services Controller Modularity Southbound VIM Northbound Orchestration System
vCenter Elastic Cisco Network Services Orchestrator Services Controller Direct Hypervisor Openstack Heat LibVirt* VNF Lifecycle Orchestration management API / Netconf/ Openstack/KVM* Yang Any 3rd Party NFV Service Ubuntu Monitoring, Orchestrator Elasticity and Recovery Linux Containers* Clouds* Yang Model driven or API Integration
* Planned 75 Network Services Orchestrator (NSO)
79 Network Service Orchestrator Hierarchy
80 Network Service Orchestrator Hierarchy
Industry leading capability in NG SP YANG device management
81 Network Service Orchestrator Hierarchy
Common mechanism for Network Element Driver NED native interface to any HW / SW system YANG
82 Network Service Orchestrator Hierarchy
Abstraction of capabilities and services supported in a device or Device Model system via NED/YANG Network Element Driver NED YANG
83 Network Service Orchestrator Hierarchy
Construct services independent of Service Models infrastructure – reduce workflow in SP infra Device Model
Network Element Driver NED YANG
84 Network Service Orchestrator Hierarchy
Construct services independent of X-Domain infrastructure – reduce workflow in SP infra Service Models
Service Models
Device Model
Network Element Driver NED YANG
85 Network Services Orchestrator (NSO) Components Rest/NetConf/Yang Service Models written in Yang Abstract Service from Service Intent Service Intent Service Intent underlying physical devices
Network Services Orchestrator Service Manager Interprets Service Intent with Service Instantiation Rules and derives configuration deltas. Zero Touch Deployment (ZTD) PnP Server Service Manager
Mapping Transaction Database Transactional Database Allows full Maps the Service Intent to Controller (CDB) CRUD capabilities to Services. the Derived Device Topology. Known as Device Manager “Fastmap” Device Manager manages derived and validated configurations in a Network Element transaction manner towards derived Open Method for ZTD Open PnP Drivers Access infrastructure. Network Element Drivers Abstract the interfaces to the devices allowing 3rd party infrastructure to Domain Controller participate in Service Instantiation (i.e. ESC) ISR x86 Virtual
86 Network Services Orchestrator Hierarchy
YANG Business Service Model Service Model Constructed From
Topologies Topology
Connecting Component YANG Service Models Component Services Consuming Capabilities Exposed in Network Element YANG device models/NEDs Driver NED
87 Hardware Components
88 Hardware Components Compute For Any Place, Segment, or Environment UCS B-series UCS M-series
UCS Mini
UCS C-series
ISR Embedded ISA 3000 UCS E-series Industrial Appliance
89 Use Cases
90 Solutions
10000
1000 Virtual Managed Services Virtual Managed Services Cloud VPN 100 MPLS IWAN vBranch 10 Cloud Services Platform
2100 Service or Node VMDensity
1 1 10 100 1000 10000 Sites or Locations 91 Data Center Use Cases CSP-2100
92 Data Center NFV Network Services Use Cases Client ASR Small Medium Large
VPN VPN VPN VPN VPN VPN VPN VPN Services CSR WAAS ASA NAM Controller #1 #2 #3 #4 confd WOC WOC WOC WOC CfgAgent CfgAgent CfgAgent CfgAgent Tenant NFV Hosting Software, Agentless Vagran NSH, and Optional t Access
FW FW FW FW Acceleration Libvirt Tenant Tenant Intel or Chain Memory CPU Storage Cavium Network
Data Data Center MON MON MON MON AccessChain
Servi Servi ces ces Cont Cont FW FW ASA #1 ADC #1 roller ASA #2 ADC #2 roller App conf conf CfgAgent CfgAgent d CfgAgent CfgAgent d
NFV Hosting Software, Agentless Vagr NFV Hosting Software, Agentless Vagr ant ant NSH, and Optional Libvi NSH, and Optional Libvi Access
Acceleration rt Acceleration rt App ADC ADC Me Intel Net Me Intel Net CP Stor or CP Stor or Chain mor wor mor wor y U age Cav k y U age Cav k Access ium ium Chain
Servi Servi ces ces Cont Cont MON MON ASA #1 NAM #1 roller ASA #2 NAM #2 roller Server conf conf CfgAgent CfgAgent d CfgAgent CfgAgent d
NFV Hosting Software, Agentless Vagr NFV Hosting Software, Agentless Vagr ant ant NSH, and Optional Libvi NSH, and Optional Libvi Farm Acceleration rt Acceleration rt FW FW Intel Intel App Me CP Stor or Net Me CP Stor or Net mor U age Cav wor mor U age Cav wor
Chain y ium k y ium k Access Application Server Environment
Application 93 Data Center NFV Historical Physical Network Services
Integrated service modules Catalyst 6500 Integrated Services provide: ACE • Flexibility to choose from range of interface types (1G/10G, WAN interfaces) • Maximize ROI through investment protection FWSM • Leverage switch features (Routing, Virtualization, Netflow) to provide end-to-end solution NAM • Leverage switch qualification like NEBS • Reduce TCO through Infrastructure Simplification
94 Data Center NFV Network, Security, and Load Balancer Admin Challenges
Keeping Up with ESXi Product OpenStack Little or No Access the Server Team and Support Costs Complexity to vCenter Server
Lack of a Toolset to Lack of Linux/OS Comfort with Need for HW Manage Virtual Services Expertise Dedicated HW Performance Appliances (Sometimes)
95 Data Center NFV Hosting Platform Foundational Technologies • Policy management for User and Application Segment • Clustering for HA and scale Enterprise Service Provider Specific • Chaining that is open and OSS Prime/APIC-EM NSO agentless CMS CfgAgent CfgAgent Agent • Service lifecycle management Confd • Provisioning, Operation, Source- Monitoring, Troubleshooting WAAS Fire ASAv CSR Services IPS • Simplified, Libvirt, and Common Control Openstack APIs Technology Stack Cloud OS On Linux KVM • Hypervisor and vSwitch SFC, Custom hardware and I/O drivers provisioning/operations Intel or • Bare-metal provisioning Memory CPU Storage Cavium Network • Hardware acceleration (when necessary) Green - Cisco Value Add
97 Data Center NFV What is the CSP 2100? NSO 4.1, ODL, etc
GUI CLI REST NetConf
3rd OSC CSR XRv ASAv VTS 9000 Parties (ODL)
ConfD, Linux/KVM (RHEL 7.2), OVS, PCIe Passthrough, SR-IOV*
UCS, 1 & 10G SFP+, Crypto (LiquidSecurity)*
98 Data Center NFV CSP-2100 Benefits
Easy-to-use GUI Automation Clustering High Performance • Turn-key and simple • Wire once use many • Shared pool of resources • DPDK • Network, security, and SLB • Use DevOps to • Auto-deploy redundant • PCIe Passthrough admins automate ACI services HA pair (OVS bypass) • Lifecycle Management • RESTful API • One hardware for any • SR-IOV • Provision a new service • NetConf virtual service • HW offload using within minutes • CLI various PCIe cards (future)
99 Data Center NFV What Virtual Services Can I Run on the CSP 2100?
Existing Nexus 1010/1110 Cisco KVM Virtual Services Verified KVM 3rd Party Services Services • Elastic Services Controller • Juniper SRX • Network Analysis Module ESC • Citrix NetScaler VPX vNAM • Virtual Topology System • F5 LTM Virtual Edition VTS • A10 Networks • Virtual Security Gateway • Prime Network Services VSG Controller PNSC KVM Open Operating Systems • Prime Service Catalog PSC • Linux • Virtual Supervisor Module • IOS XRv 9000 • Red Hat VSM • Cloud Services Rotuer CSR • Ubuntu • Adaptive Security Appliance • Windows ASAv • Data Center Network Any KVM-based service Manager DCNM • Open Daylight ODL • Flexpod BMA • RYU
100 Data Center NFV CSP-2100 Places and Virtual Services
Ap Web DB POP p Servers CO COLO HUB DC WAN Edge / DMZ Core Server Farm
• Router • Router • ADC • Firewall • Firewall • WAN Accelerator • Firewall • IDS/IPS • CDN • Monitor • IDS/IPS • Monitor • Remote Access • ADC • Monitor • Management VPN • Firewall • Automation • Extranet VPN • VPN concentrator • IDS/IPS • Security Proxy • WAF
101 Data Center NFV Detailed CSP-2100 Software Block Diagram User
GUI Customer SW NSO
WebServer Rest API CLI Netconf/Yang CSP2100
ConfD AAA C/Python Confd LibVirt Database Images
RHEL 7.2 Kernel • Uses ConfD to supply much of the user interface and configuration storage • IOS-XR -like CLI • REST / NetConf / Yang • AAA
102 Data Center NFV CSP Demo
https://www.youtube.com/watch?v=5Uq7rsfs7wg 103 Data Center NFV CSP Web UI Running on Every Node in the Cluster
104 Cisco Confidential 9 Data Center NFV CSP Cluster Repository
105 Cisco Confidential 10 Data Center NFV CSP Deploying a New Service
106 Cisco Confidential 11 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 107 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 108 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 109 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 110 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 111 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 112 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 113 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 114 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 115 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 116 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 117 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 118 Data Center NFV GUI CLI
Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 119 Data Center NFV Physical Network Ports
120 Cisco Confidential 13 Data Center NFV CSP Services View
121 Cisco Confidential 9 Data Center NFV Confd Autogenerated Yang Sample leaf uuid { container services { type yang:uuid; tailf:cli-drop-node-name; description "uuid of service »; } tailf:unique-selector leaf name { 'service/serial_ports/serial_port' { type string { tailf:unique-leaf 'serial_type'; length 1..32; tailf:unique-leaf 'service_port’; } pattern "[A-Za-z0-9_\-]+ »; } list service { description "service name »; } tailf:cli-enforce-table; leaf memory { tailf:cli-show-template type int32; "$(name|ljust:32) $(power|ljust:6) description "RAM of VSB, in MB"; $(state|ljust:15) $(error)" { default 2048; tailf:cli-auto-legend; } tailf:info "RAM of VSB, in MB"; key name; tailf:cli-show-with-default; tailf:callpoint change_vsb { tailf:transaction-hook subtree; }
122 Data Center NFV Confd Autogenerated Yang Sample (Cont’d)
leaf numcpu { leaf iso_name { type int8; type string { description "number of vcpus for VSB"; length 1..80; default 1; pattern "[A-Za-z0-9_\-\.]+ »; } tailf:cli-show-with-default; } description "path to ISO image »; } leaf macid { leaf vm_type { type uint8; type enumeration { description "short per VSB id, internal only"; enum generic; } default 1; } description "VM type (generic or none)"; leaf disk_loc { default generic; } type string { leaf power { length 1..80; type enumeration { pattern "[A-Za-z0-9_\-\.]+ »; } enum off; description "path to HD image »; } enum on; leaf disk_size { enum reset; type int32; enum reboot; } description "disk size of VSB, in GB"; description "power (off, on, reset, reboot)"; tailf:info "disk size of VSB, in GB"; default off; } default 4; leaf state { tailf:cli-show-with-default; } config false; tailf:cdb-oper { tailf:persistent true;v}
123 Data Center NFV Attaching Virtual Services Virtio To External Networks
Services Control Services Control To Client PNIC1 PNIC1 Firewall Firewall PNIC2 PNIC2
PNIC3 PNIC3 CSP CSP Linux Physical Physical Linux PNIC4 PNIC4 KVM Switch Switch KVM Confd Confd PNIC5 PNIC5
PNIC6 PNIC6 SLB SLB PNICn PNICn To Server • Connect each service to 2 or more external network PNICs using VirtIO to minimize OVS impact on performance (client, server, FT*)
• Rely on physical switches for VLAN stitching
124 Data Center NFV Attaching Virtual Services To External & Internal Networks
Services Control Services Control To Client PNIC1 PNIC1 Firewall Firewall PNIC2 PNIC2
PNIC3 PNIC3 VNIC CSP CSP VNIC Linux Physical Physical Linux PNIC4 PNIC4 vSwitch KVM Switch Switch KVM vSwitch Confd Confd VNIC PNIC5 PNIC5 VNIC
PNIC6 PNIC6 SLB SLB PNICn PNICn To Server 1. Connect client side virtual service to external PNIC facing client
2. Connect virtual services internally to each other automatically creating a vSwitch
3. Connect server side virtual service to external PNIC facing client
125 Data Center NFV CSP Virtual Services Levels Of Control NSO WAAS Firesight Manager Virtual Service CM Router Config Netconf/Yang
CMS CfgAgent NED Agent* Confd Source- WAAS Fire ASAv CSR Services Common IPS Control Technology Stack Cloud OS On Rhel Service Chaining and Optional Acceleration
Intel or Memory CPU Storage Cavium Network
• Platform Management • Virtual Service Management • Confd provides CLI, API, WebUI (hypervisor appliance) • Some virtual services use proprietary agents / managers • NSO provisions virtual services through Netconf/Yang to Confd or 3rd party controller provisions through • NSO offers service/device management for many RESTconf API through Network Element Driver (NED)
126 Data Center NFV CSP Software Release 2.0
• Support for UCSD and Bare Metal Agent BMA for FlexPod Automation
• Multi-disk partition support for services like PNSC and vWAAS
• Day.0 config file support for services like ASAv, CSR and others
• NFS support for image repository or virtual service disk creation location
• Multiple serial console support for services like XRv with 5 serial consoles
• Service Templates to save the virtual service resource configuration and re-use it for launching new virtual services
• Import/export machines (i.e. snapshot)
• Upgraded to RHEL 7.2 from RHEL 7.0 for services like VTS that require nested virtualization
127 Use Cases Branch
128 Branch NFV Trends
• Ethernet handoff availability growing
• IP telephony centralized call control and gateways
• Internet offload
• Direct Internet access
• Availability of virtualized network services
• Re-introduction of centrally managed x86 compute
• Internet of Things (IOT) / Internet of Everything (IOE)
129 Branch NFV Benefits
Reduction of network Automated network elements to manage & deploy operations
Capex reduction by Service Elasticity – deployment of standard Quick time to market x86-based servers
Operational efficiencies Deployment of through virtualization best-of-breed
Reduced complexity OPEX decrease by for High Availability reduction of branch visits or shipments
130 Branch NFV All-In-One AND A La Carte
• All-In-One (Enable Features) • A La Carte (Enable VNF) • Services • Profiles • Route • Cisco All-In-One plus some 3rd party • Accelerate • Possible pure A La Carte with no • VPN Cisco service nodes • Firewall • Customers • Content filtering • Globals and Enterprise • IPS/Snort • Verticals – Retail, Banking, • Products Insurance, etc. • ISR • Meraki • Customers • Commercial • SLED
132 Branch NFV Bank Non-Redundant x86 Virtual Topology
WAN1
WAN
Pass-through Local CSR1 WAAS1 Service 1
inside SRV PNIC
Trunk LAN x86 vSwitch
Virtual Service
133 Branch NFV Bank Redundant x86 Virtual Topology
WAN1 WAN2
WAN WAN
Pass-through Pass-through Local CSR1 WAAS1 Local CSR2 WAAS2 Service 1 Service 2
inside inside SRV SRV
Trunk Trunk LAN x86 LAN x86
134 Branch NFV Insurance Redundant Link x86 Virtual Topology
WAN1
WAN
Pass-through
NAS NGFW CSR WAN2
inside SRV
LAN x86
135 Branch NFV Retail Company Redundant x86 Virtual Topology
WAN1 WAN2
WAN WAN
Pass-through Pass-through
Local Local NGFW CSR NGFW CSR Service 1 Service 2
Trusted Trusted Untrusted Untrusted
Trunk Trunk LAN x86 LAN x86
136 Branch NFV Virtual Managed Services VMS Architecture
Customer Orders Service Tenant Portal Operator Portal
NETCONF/YANG
Network Service Orchestrator (Tail-f NCS)
PnP server Service Assurance
Elastic Services
Provide Day 1 Controller (ESC) Configuration X86 CPE Shipped at Provision Customer CSR1Kv Site, connected & Powered ON OpenStack Internet OVS
Gateway X86 X86 Server vRouter NGFW Establish VPN: IP Overlay, Layer2 vRouter vWSA Linux KVM Confd ESC PnP Functionality X86 CPE Zero Touch Provisioning
137 Branch NFV Insurance Company Planned Architecture and Operations
• Agent Office • 85% of offices have 5 agents • Template Branch Branch • Router/VPN – CSR WAN WAN Edge Edge • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year
Si • Data Center • NAS Manager • Centralized WLC • Centralized call control and gateway
Services Services Host Host 138 Branch NFV Insurance Company Planned Architecture and Operations
• Agent Office
Services Services • 85% of offices have 5 agents Future Ctera Controller Future Ctera Controller Security Security VNF NAS CSR VNF NAS CSR confd confd • Template CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent NFV OS, Agentless NSH*, and NFV OS, Agentless NSH*, and Branch Hardware Drivers KVM Hardware Drivers BranchKVM • Router/VPN – CSR WAN WAN Hardware Hardware EdgeMemory CPU Storage Assist Network Memory CPU Storage Assist EdgeNetwork • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year
Si • Data Center • NAS Manager • Centralized WLC • Centralized call control and gateway
Services Services Host Host 139 Branch NFV Insurance Company Planned Architecture and Operations
• Agent Office
Services Services • 85% of offices have 5 agents Future Ctera Controller Future Ctera Controller Security Security VNF NAS CSR VNF NAS CSR confd confd • Template CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent NFV OS, Agentless NSH*, and NFV OS, Agentless NSH*, and Branch Hardware Drivers KVM Hardware Drivers BranchKVM • Router/VPN – CSR WAN WAN Hardware Hardware EdgeMemory CPU Storage Assist Network Memory CPU Storage Assist EdgeNetwork • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year
Si • Data Center Ctera Ctera
• NAS Manager CCM CCM • Centralized WLC • Centralized call control and gateway WLC WLC
Services Services Host Host 140 Branch NFV Enterprise Branch NFV New Technology Adoption
Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration
Intel or Memory CPU Storage Cavium Network
• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings
141 Branch NFV Enterprise Branch NFV New Technology Adoption
Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration
Intel or Memory CPU Storage Cavium Network Device or Cluster Management • Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings
142 Branch NFV Enterprise Branch NFV New Technology Adoption
Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Enterprise Common CfgAgent CfgAgent CfgAgent CfgAgent confd ESA Group Technology Based NFV Hosting Software, Agentless NSH, and Stack Management Optional Acceleration
Intel or Memory CPU Storage Cavium Network
• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings
143 Branch NFV Enterprise Branch NFV New Technology Adoption Service Provider Multitenant Source- Services Future Ctera Controller VMS Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration
Intel or Memory CPU Storage Cavium Network
• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings
144 NFV Use Case Summary
• Fog / Edge / Branch • Router, firewall, WOC, CDN, application
VS VS VS • Confd VS VS VS Data center branch/core WAN edge #1 #2 #3 #1 #2 #3 Confd • Router, WOC, firewall, monitor OVS OVS KVM KVM Me Stor Net Me Net mor CPU age wor mor CPU Stor wor • Data center core y k y age k • ADC, firewall, IPS/IDS, monitor WAN / Internet
VS VS VS V V V VS VS VS • Server farm S S S Confd #1 #2 #3 Confd # # # Confid #1 #2 #3 1 2 3
OVS OVS OVS • Firewall, IPS/IDS, monitor M S N KVMt e KVM Internete C Edgeo t KVM m P r w MeDC WAN edge Net o Me Net Stor r U a o mor DCCPU WANStor edgewor • DevOps to automate device package mor CPU age wor g r age registration y k y e k y k
• DeMilitarized Zone (DMZ) Si • Employee Internet Management (ADC, CDS CDS
F-Proxy) V V V V V V V V V V V V S S S S S S S S S S S S # # # Confd # # # Confd # # # Confd # # # Confd 1 2 3 1 2 3 1 2 3 1 2 3 OVS OVS OVS OVS • .com hosting (Router, ADC, firewall, CCMS N S N S N CCM S N M M M M e KVMt e e KVMt e e KVMt e e KVMt e m C o t m C o t m C o t m C o t IDS/IPS, R-Proxy, monitor) o P r w o P r w o P r w o P r w U a o U a o U a o U a o r g r r g r r g r r g r • Extranet (Router, firewall, VPN, IDS/IPS, y e k y e k y e k y e k monitor) 3rd Party 3rd Party
Services Services Services Services Host Pod Pod Host 145 Putting IT Together
156 Enterprise NFV and Cloud Architecture X86 OS Hosting Store Service Repository User & Application Policy Store NFVOS CSP Metapod CSR WOC CDN NAM Apache Apprenda Hortonworks AppExp AppSec AppScale AppMon Linux Windows ESX FW IPS NAS Proxy WAF Pivotal RabbitMQ SAAS User Telephony Branch Policy Policy OSP AzureStack Other Voice DNS VMS Davra MySQL Mantl.io ScaleArc Template
• Local performance • Dynamic scale on x86 • Data protection • Public facing • Local availability • Wire once, run any • Lowest cost presentation • Local processing • Optional acceleration • Fixed/known capacity • Intercompany • Distributed scale • Disaster Recovery • Unknown/burst/one-time
User / Branch Policy Application Policy Application Policy WOC Ctera DNS NAM User / Application Policy Apprda FW SLB Apache Pivotal FW SLB Apache Davra CDN IPS CSR CSR WOC FW ADC RMQ MySQL ScaleArc MapR RMQ MySQL ScaleArc MapR NFV OS with Confd CSP OS with Confd Metapod Openstack Metapod Openstack x86 Compute CSP on UCS OR VMS ASR, Nexus 9000, x86 ACI + UCS Config Config Config Config Config Config Config Config Agent Agent Agent Agent Agent Agent Agent Agent Access Edge Router Core Access Server Access Server
Fog Edge Private Private Public Branch WAN Edge/Core DC/Cloud Cloud Internet Cloud Internet Core Connect 157 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
$100 $100 $100 $100 $100
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
158 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
qcow2$100 and ISO $100 $100 $100 $100
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
159 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
qcow2$100 and ISO $100SFC $100 $100 $100
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
160 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
qcow2$100 and ISO $100SFC $100Fog $100 $100
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
161 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
qcow2$100 and ISO $100SFC $100Fog REST$100 $100
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
162 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100 DOUBLE
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
163 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
164 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200 $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
165 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200 $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
166 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ $200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
167 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 $200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
168 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200
$300 $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
169 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200
PCIe Pass$300 Through $300 $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
170 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200
PCIe Pass$300 Through $300VPP $300 $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
171 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200
PCIe Pass$300 Through $300VPP Public$300 Cloud $300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
172 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation
DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE
VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200
PCIe Pass$300 Through $300VPP Public$300 Cloud Netconf$300 $300
$400 $400 $400 $400 $400
$500 $500 $500 $500 $500
$1000 $1000 $1000 $1000 $1000
$2000 $2000 $2000 $2000 $2000
173 Blogs • 2015-11-09 Hubinomics - Open Source Is Eating Vendor Software
• 2015-10-19 From Managing Infrastructure To Offering Outcomes
• 2015-07-27 SDN Is Simply Agent Based Management
• 2015-07-21 A Brief Repeating History of Network Time
• 2015-07-17 Maslow's Hierarchy of Network IT Needs
• 2015-06-25 Virtual Realities - What Virtualization Rates Are Not Telling Us!
174 Call to Action
• Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics
• Meet the Engineer
• Lunch and Learn Topics
• DevNet zone related sessions
175 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
176 Thank you
177