sign in sign up

<<

Tailf:Cli-Enforce-Table

Tailf:Cli-Enforce-Table

Virtualize Your Enterprise Through Network Function Virtualization Cloud Technologies Jim French, Distinguished System Engineer, CCIE, CISSP [email protected] https://www.linkedin.com/in/frenchjp Enterprise NFV Agenda

• NFV Requirements

• Software Components

• Hardware Components

• Use Cases and Solutions

• Putting IT Together

3 Network Function Virtualization Agenda

• NFV Requirements • Use Cases • Fog / Edge / Branch • NFV Approach • Data Center • Software Components • Cloud / Shared Hosting • Linux KVM Hypervisor • Extranet • Service Function Chaining SFC • Solutions • Tail-f Confd • Cloud Services Platform CSP • Openstack* • vBranch • Elastic Services Controller ESC • Extranet • Network Services Orchestrator NSO • Virtual Managed Services VMS* • Hardware Components • Security Firepower 9300* • Fog/Edge/Branch NFV • Putting IT Together • Data Center NFV

4 Network Function Virtualization Abbreviations

• BMA Bare Metal Agent • NFV Network Function Virtualization

• CSP Cloud Services Platform • ODL Open Daylight Controller

• CSR Cloud Services Router • PnP Plug and Play

• OSC Open SDN Controller • SDN Software Defined Network

• XRV IOS XR Virtual • SFC Service Function Chaining

• VTS Virtual Topology System • VNF Virtual Network Function

• VPP Vector Packet Processing

• REST Representational State Transfer

5 Network Function Virtualization Requirements

6 Requirements Varied and Dynamic Enterprise Interactions Publishing Access Hosting User Device User Access Application Data Location Location Location Private Private Data Employee VDI Campus Leased Line NAS/SAN, Center DB SaaS Partner Data Partner PC Branch MPLS dedicated Center storage

SaaS Increasinggrowth

Decreasing Trust Decreasing Dedicated Vendor Mobile Home IPSec VPN integrated Hosting store Cloud Customer Thing Anywhere SSL/TLS Shared Client stored

Hosting 7 Requirements Quickly & Securely Consume Resources and Capabilities

Business Problems Architectures (Simplification Candidates) Create, Deploy, Operate, and Retire Workflows: Workflows • Places - Branch / Data Center / DMZ • People - Employee / Partner / Customer • Things - Device / Sensor / Camera / Etc Repeatable Workflows/Profiles • Applications – SAAS, IAAS / COTS, client/server • Collaboration – Meetings / Events Common Workflows Tasks Things to fix & Identify choke points achieve Simplification Operationally http://www.frenchjim.com/2015/10/the-b4b-red-pill-to-move-from-offering.html New Capabilities 8 Requirements Non-Default Policy Application Deployment Challenge

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

• Users, branches, extranetWOC partners,FW and applications change frequently QoS DNS Class Class ADC Monitor vSwitch • Many requirePolicy non-default experience, security, scale, or monitor • Complex Policy Policy services Class WCCP Route Span • Costly Client • NonDNS-default policy programmingVLAN is frequent, costly, and error pronevPath Server • InteractionsMap depend Redirecton many network servicesSNAT VACL • Error prone • Network services areTraditional from many different Network vendors

• Never remove policies DCNM

• Not secure

9 Requirements Non-Default Policy Application Deployment Challenge

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure

10 Requirements Non-Default Policy Application Deployment Challenge Application Owner

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure

11 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure

DC Network Admin 12 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual Admin Admin Admin Admin Admin Admin Admin

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure

DC Network Admin 13 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual

Admin Admin Admin Admin Admin Admin Admin

Policy Configure

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure

DC Network Admin 14 Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual

Admin Admin Admin Admin Admin Admin Admin

Policy Configure

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure Scale

15 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual

Admin Admin Admin Admin Admin Admin Admin

Policy Configure

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

WOC FW QoS DNS Class Class ADC Monitor vSwitch Policy • Complex Policy Policy Class WCCP Route Span • Client DNS Server Costly Map Redirect VLAN SNAT VACL vPath • Error prone Traditional Network

• Never remove policies DCNM

• Not secure Scale

16 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual

Admin Admin Admin Admin Admin Admin Admin

Policy Configure

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

Auto has ~10,000WOC applicationsFW with ~10 year lifespan QoS DNS 1000 applicationsClass deployedClass & ADCretired perMonitor year vSwitch • Complex Policy ~10 applications/weekPolicy programmedPolicy and unprogrammed (20% Class WCCP Route Span • Client DNS are non-default behavior) Server Costly Map Redirect VLAN SNAT VACL vPath CLI never intended to provide frequent policy change • Error prone Traditional Network Change control can’t keep up! • Never remove policies DCNM

• Not secure Scale

17 DC Network Admin Insert, Chain, Requirements Non-Default Policy Application Deployment Challenge Application Owner IPAM Network WANOpt Security ADC/App Monitor Virtual

Admin Admin Admin Admin Admin Admin Admin

Policy Configure

Prime Prime WOCM FWM ADCM vCenter 3rd Party 3rd Party

• Users,Auto branches, has ~10,000 extranetWOC applications partners,FW and withapplications ~10 year change lifespan frequently QoS DNS Class Class ADC Monitor vSwitch • Many require1000Policy non applications-default experience, deployed security, & retired scale, per or yearmonitor • Complex Policy Policy ~10services applications/week programmed and unprogrammed (20% Class WCCP Route Span • Client • NonDNS-default policy programmingare non-default is frequent, behavior) costly, and error prone Server Costly Map Redirect VLAN SNAT VACL vPath • InteractionsCLI never depend intended on many to networkprovide services frequent policy change • Error prone Traditional Network • Network services Changeare from manycontrol different can’t vendorskeep up! • Never remove policies DCNM

• Not secure Scale

18 DC Network Admin Insert, Chain, Requirements Where Are The Virtualizable Infrastructure Functions? Mirror App WAN Web DB Client Internet VM Servers

Client / DMZ Data Center or Cloud Application Application Access Chain /Tenant Access Chain Access Chain Interaction Chain

• Client Access Chains are on the perimeter of the access network

• Data center or Tenant Chains reside on the WAN or Internet edge of the data center

• Application Access Chains are in the server farm core with north/south traffic

• Application Interaction Chain is in the server farm access with east/west traffic

19 Network Function Virtualization Approach

20 Network Function Virtualization Building Blocks

. Hosting Nodes . Transport Nodes . Service Node (Aka VNF) – WAN Optimization – UCS B-series – NX-OS . Nexus 9/7/6/5/3/2/1K Controllers (WOC) - WAAS – UCS C-series – Security – IOS XE . Firewall - ASA – UCS M-series . ASR . NextGen Firewall - FirePower . CSR – UCS Express – Application Delivery . Catalyst 4500 Controller (ADC) – CSP-2100 . ISR 4400 – Application Performance – ISA 3000 – IOS XR Monitoring (APM) -NAM . ASR 9000 – Secure Web Gateways - . XRV WSA – IOS – Content Delivery Network – . Catalyst 2/3/6K VDS-IS . ISR – Application Components

21 Network Function Virtualization Service Nodes Contain One or More Service Functions

• Transport • Security • Infrastructure Services • Routing / VRF • Firewall (L2-4) • Voice/video • Bridging • NextGen Firewall (L3-7) • Directory • Virtual gateway • DDoS • DNS • VPN • IDS / IPS • NAS • Antivirus (AV) • Lifecycle manager • Experience • Data Leakage Prevention • QoS (DLP) • Applications • Deep packet inspection • Anti-Malware Protection • Business applications • WAN optimization • Content Filtering • IOT • Caching of files/objects • User / Device AAA • Analytics • Application Response Time • Network Auth 802.1x • Etc. (ART) • Segmentation Tags • Netflow • Performance Routing

22 Network Function Virtualization Service Nodes Implement Fixed Service Function Orders Inside to Outside IOS 12.4(T) Outside to Inside IOS 12.4(T) If IPSec then check input ACL If IPSec then check input ACL Decryption (CET or IPSec) Decryption (CET or IPSec) Check input ACL Check input ACL Check input rate-limit Check input rate-limit Input accounting Input accounting Policy Routing1 NAT outside to inside Routing Policy Routing WCCP Redirect IN Routing NAT inside to outside WCCP Redirect OUT Crypto (check map and mark for encr) Crypto (check map and mark for encr) Inspect (CBAC) / IOS FW Inspect CBAC TCP Intercept TCP Intercept Encryption Encryption Queuing Queueing

23 Network Function Virtualization Service Node Standard Interface Meta Data

• Service Node • Form Factors • Performance • Vendor • Physical • DPDK • Product • ESX • SR-IOV • Category • KVM • PCI Pass Through • Hyper-V • VirtIO • Place • Xen • Branch / Store / Bank • Amazon AMI • Data Center • LXC / Docker Container • Cloud / Service Provider / Data Center • Carrier Transit Data Center PoP / CO

24 Network Function Virtualization Service Node Standard Interface Meta Data (Cont'd)

• Service Insertion • Programmability • Config Controller Support • Type • CLI / SSH • APIC Opflex • GoThrough Bridged • SNMP • APIC Device Package • GoThrough Routed • GUI HTTPS • APIC-EM • GoTo VIP / Loopback • CopyTo • REST API • ODL • Encapsulation • OpenFlow • Life Cycle Manager • VLAN • Netconf / Restconf / Yang • ESC • VXLAN • Integrated Confd • NSH • ESC-lite / VBO • NCS Tail-f Ned • Clusters • Grapevine • Ubuntu / RHEL Openstack • WCCP • AppNav ML2 plugin • vPath 2.0 • SFC

25 Network Function Virtualization Design Planning Questions

• If I start with a controller, what VNFs are available to me?

• If I start a hypervisor, what VNFs are available to me?

• If I have a specific VNF, what controllers are available?

• If I require high performance, what VNFs support VirtIO, DPDK, Cavium?

• If I deploy in the branch, which are intended for edge use?

• If I prefer REST API interfaces, which VNFs are compatible?

• If I want to use Network Service Header NSH chaining, what VNFs area available to me?

26 Network Function Virtualization Standard Interfaces For Flexibility & Reduced Complexity

Validated Designs

Function Virtualization 27 Network Function Virtualization IOS SDN Is Simply Agent Based Management Android • 1993 – PCs transition from console to agent management • 2001 – Wireless Access Points AP adopt agent management Client • 2004 – Servers transition from console to agent management PC • 2007 – Google Android and Apple IOS adopt cloud agent based management to achieve unprecedented growth • 2015 – Network devices transition from console to agent Wireless management Network • Support staff grows with device growth until agent based

management is adopted NumberDevices of

Client Server Agent AP Agent Server Opflex Wired Agent Meraki Netconf Agent Network agent Yang Mobile Agent 1980 1985 1990 1995 2000 2005 2010 2015 2020

http://www.frenchjim.com/2015/07/sdn-is-simply-agent-based-management.html 28 Network Function Virtualization State of the Industry

• CPU Virtual Technology VT enablement

• KVM viable hypervisor

• Physical network appliances widely available on ESXi and more recently KVM

• Agent-based orchestration (Netconf/Yang, Puppet, Chef, Ansible, OpFlex, Etc.)

• Adoption of x86 crypto and encap offload cards when needed

• Performance improvements in virtual switching (VPP and OVS user space)

• IETF standardized service chaining imminent

• Physical Linux appliances commonly have kernel mods to too early for containers

29 Software Components Linux KVM Configuration Daemon (Confd) Openstack* Elastic Services Controller (ESC) Network Services Orchestrator (NSO) Portal

30 Linux KVM

31 Linux KVM Hypervisor

• A hypervisor or Virtual Machine Monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.

• Allows multiple instances of a variety of operating systems may share the virtualized hardware resources.

• Type-1: native or bare-metal hypervisors - run directly on the host's hardware (VMware ESXi, Microsoft Hyper-V, Citrix XenServer)

• Type-2: hosted hypervisors - just like a regular app on OS (VMware Workstation/Fusion, VirtualBox)

32 Linux KVM http://qemu.org QEMU (Quick EMUlator)

• Generic and open source machine emulator and virtualizer

• As emulator, QEMU can run OSes and programs made for one architecture (e.g ARM) on a different machine (e.g. x86) by using dynamic binary translation

• As virtualizer, QEMU executes the guest code directly on the host CPU - achieved by complex software techniques, necessary to compensate for the processor's lack of virtualization support

• Single-threaded Linux process

33 Linux KVM http://www.linux-kvm.org Kernel-based Virtual Machine

• Virtualization infrastructure for the Linux kernel that turns it into a Hypervisor

• Linux infrastructure reuse (scheduler, MM, I/O, networking, logs...)

• Kernel module in Linux kernel mainline since 2.6.20 (2006) • Provides interface for Intel VT-x or AMD-V • Executes guest code • Handles performance critical operations

• Userspace binary (kvm, qemu-kvm, qemu-system-x86_64...) • fork of QEMU • Set up VM and I/O devices • Execute guest code via KVM kernel module • I/O emulation

34 Linux KVM QEMU-KVM from Linux Perspective

guest memory guest memory guest memory (seen as physical memory) (seen as physical memory) (seen as physical memory)

Userspace vcpu0 vcpu1 iothread vcpu0 vcpu1 iothread vcpu0 vcpu1 iothread qemu-kvm qemu-kvm qemu-kvm

/dev/kvm Kernel scheduler kvm-kmod

35 Linux KVM KVM Features

• i386 and x86_64 UniProcessing and Symmetric Multi-Processing SMP guests

• Runs Linux, Windows, and many other OSs

• PCI pass-through for performance

• ParaVirtualized I/O VirtIO

• Live migration including block migration

• Snapshot save/resume

• Guest swapping and memory deduplication

36 Linux KVM Qemu-KVM Command Line Example /usr/bin/kvm -S -M pc-1.0 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name jumphost-ikovacev-Win7 -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/jumphost-ikovacev- Win7.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control - rtc base=localtime -no-shutdown -drive file=/var/lib/libvirt/images/jumphost- ikovacev-Win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio- disk0,bootindex=2 -drive file=/var/lib/libvirt/iso/en_windows_7_ultimate_x64_dvd_x15- 65922.iso,if=none,media=cdrom,id=drive-ide0-0-0,readonly=on,format=raw - device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 - netdev tap,fd=18,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:a7:28:7e,bus=pci.0,addr=0x3 - chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -usb - device usb-tablet,id=input0 -vnc 0.0.0.0:763 -vga std -device virtio-balloon- pci,id=balloon0,bus=pci.0,addr=0x5

37 Linux Networking

38 Linux Networking TAP and veth

• TAP = standard Linux device driver for creating L2 interfaces. Primarily used for allowing user-space programs to “inject” packets into Linux network stack. ip tuntap add dev eth0 mode tap

• veth = standard Linux device driver for creating L2 pipes (pair of linked Ethernet devices) ip link add veth0 type veth peer name veth1

39 Linux Networking Ethernet Bridge

• Part of Linux kernel networking stack qemu qemu • Simple “unmanaged” switch with basic STP support (no VLANs) OS OS • Packets switched by kernel based on mac address table nic nic

• Administered by brctl tool (config not persistent) tap0 tap1 • In context of virtualization can be used to provide network access to VMs br0

eth0

host

40 Linux Networking brctl usage brctl help brctl addbr br0 brctl addif br0 eth0 brctl show [br0] bridge name bridge id STP enabled interfaces br0 8000.64122536573a no eth0 vnet0 vnet1 brctl showmacs br0 port no mac addr is local? ageing timer 1 00:00:5e:00:01:dc no 0.03 1 00:2a:6a:bd:48:01 no 18.56 1 00:2a:6a:c4:46:01 no 1.31 2 52:54:00:a7:28:7e no 0.00 ... brctl showstp br0 eth0 (1) port id 8001 state forwarding designated root 8000.64122536573a path cost 4 designated bridge 8000.64122536573a message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.08

41 Linux Networking Network Namespaces

• Linux kernel feature for isolating the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc.

• Similar to VRFs on Cisco IOS ip netns add ip netns list ip link set netns ip netns exec ip netns add blue ip link set eth0 netns blue ip netns exec blue ifconfig eth0 10.1.1.1/24 up ip netns exec blue ping 10.1.1.2

42 Linux Networking veth + netns + br ip netns add ns1 ip netns add ns2 brctl addbr br-test ip link add tap1 type veth peer name br-tap1 ip link set tap1 netns ns1 brctl addif br-test br-tap1 ip link add tap2 type veth peer name br-tap2 ip link set tap2 netns ns2 brctl addif br-test br-tap2 …

43 Linux Networking http://openvswitch.org Open vSwitch

• Open source implementation of a distributed virtual multilayer switch

• Main purpose is to provide a switching stack for hardware virtualization environments

• Merged into the Linux kernel mainline in kernel version 3.3

• Features: . VLANs with trunking, LACP, port-channels . STP, BFD . QoS, traffic policing . NetFlow, SPAN, RSPAN . traffic tunneling via GRE, VXLAN, IPsec . kernel space and user space forwarding . OpenFlow

44 Linux Networking OVS Packet Forwarding

• Decision about how to process packet made in userspace

• First packet of new flow goes to ovs-vswitchd, following packets hit cached entry in kernel

The Fast Data Project – Vector Packet Processing https://fd.io/ 45 Linux Networking ovs-vswitchd

• Core component in the system: . Communicates with outside world using OpenFlow . Communicates with ovsdb-server using OVSDB protocol . Communicates with kernel module over netlink . Communicates with the system through netdev abstract interface

• Supports multiple independent datapaths (bridges)

• Packet processing order: 1. Packet received from kernel 2. Classifier module to look for matching flows and accumulates actions 3. Prior to 1.11, an exact match flow is generated with the accumulated actions and pushed down to the kernel module (along with the packet) 4. After 1.11 it is possible to push wildcards to kernel module (megaflows)

46 Linux Networking OVS Kernel Module

• Handles switching and tunneling

• Designed to be fast and simple (fast cache) . Packet comes in, if found, associated actions executed and counters updated. Otherwise, sent to userspace . Does no flow expiration . Knows nothing of OpenFlow

• Packet processing order: 1. Packet arrives and header fields extracted 2. Header fields are hashed and used as an index into a set of large hash tables 3. If entry found, actions applied to packet and counters are updated 4. If entry is not found, packet sent to userspace and miss counter incremented

47 Linux Networking OVS Utilites

• ovs-vsctl : Configures ovs-vswitchd, but really a high-level interface for database

• ovsdb-tool : tool for managing database file

• ovs-ofctl : configure and query OpenFlow module

• ovs-appctl : utility for configuring and querying Open vSwitch daemons

http://openvswitch.org/support/ 48 Linux Networking ovs-vsctl

• ovs-vsctl show

• ovs-vsctl add-br

• ovs-vsctl list-br

• ovs-vsctl add-port

• ovs-vsctl list-ports

• ovs-vsctl list TBL [REC]

• ovs-vsctl set TBL REC COL[:KEY]=VALUE

49 Linux Networking http://libvirt.org libvirt

• Open source toolkit to interact with the virtualization capabilities of various hypervisors (KVM, QEMU, ESXi, Xen...)

• Incorporates API, daemon and management tool

• Used by OpenStack, virt-manager...

• Config is stored in XML files at /etc/libvirt/qemu/

• virsh: front-end CLI

• python API is available

• domain = VM

55 Linux Networking network XML for OVS br-eth0

59 Linux Networking virsh - virtualization shell

• virsh help

• virsh list [--all]

• virsh start/destroy/reset

• virsh define/create/undefine

• virsh edit

• virsh dumpxml

• virsh net-list [--all]

• virsh net-* * = same as for domain

• virsh domblklist

60 Linux Networking http://virt-manager.org virt-manager

61 Linux Networking virt-install virt-install \ --name=Win7 \ --ram=2048 \ --vcpus=2 \ --noautoconsole \ --os-type=windows \ --os-variant=win7 \ --disk path=/var/lib/libvirt/images/Win7.qcow2,format=qcow2,device=disk,bus=ide \ --disk path=/var/lib/libvirt/iso/Win7.iso,device=cdrom,perms=ro \ --boot=cdrom,hd \ --network network=br-eth1,model=e1000 \ --graphics vnc,listen=0.0.0.0,port=6663 \ --import \ --noreboot

62 Planned Service Function Chaining SFC with Network Service Header NSH

64 Service Function Chaining Current Hypervisor Edge Application Service Chaining • Server farm service insertion is easy VNF VNF VNF API #1 #2 #3 Agent vPath 2.0 vPath vPath 2.0 • Traffic is destined for virtual ClientC ClientC ClientC machine through virtual switch Nexus 1000v or Vmware DVS VMware vSphere • One way in and one way out Memory CPU Storage Network • vSwitch captures bidirectional flows destined for virtual machine and can redirect to service node anywhere APP APP APP API #1 #2 #3 Agent • In path in middle of network service insertion is not trivial NexusS 1000v or Vmware DVS because there are multiple paths VMware vSphere • VMware DVS requires Memory CPU Storage Network

65 Service Function Chaining vPath 2.0 to NSH Non-Participant Service • IETF draft Network Services Header is missing a control plane VNF VNF VNF API #1 #2 #3 Agent • 18 month investment to add redirection C C C C C C client to a service node S S vPathS S2.0 SServerS

• vPath 3.0 control plane KVM • Agentless vPath 3.0 supports any Memory CPU Storage Network service node, on any VEM, anywhere • Per service symmetric scale out

• KVM based VNF VNF VNF API #1 #2 #3 Agent • Potential future container compatible C C C C C C • Simplified operations NexusS S 1000vS vPathS 3.0S ClientS & Server

• Reduced subnet and IP address KVM consumption • Reduced VLAN management Memory CPU Storage Network

66 Service Function Chaining Network Service Header (NSH) • IETF draft NSH encapsulation ASA WAAS CSR API • Participant service offers enhanced #1 #2 #3 Agent classification and segmentation rd C C C C • Non-participant offers support for any 3 S S S vSwitchS S S party service via traditional VLAN or VXLAN KVM

• Cisco NSH control planes Memory CPU Storage Network • OVS Client Server • Nexus 1000v VEM with VSM* LAN WAN • Benefits ASA WAAS CSR API #1 #2 #3 Agent • Simplified ordering of services across places • Simplified IP Address Management (IPAM) C vSwitchC S S • Per service high available and symmetric scale out KVM Memory CPU Storage Network

67 Configuration Daemon Tail-f Confd

68 Confd Configuration Daemon

Traditional Stovepipe Approach Confd Approach

• Custom engineering • Open source

• Extraordinary effort • Minimal effort • Single source of truth across • Inconsistent across interfaces interfaces

69 ConfD Configuration and Operational State Abstraction

• Management agents: NETCONF, SNMP, CLI, and Web

• Management backplane provides hierarchical view of config and statistics data through Management API

• Management database may be integrated CDB distributed XML or external

70 Elastic Services Controller (ESC) Lifecycle Management

71 Elastic Services Controller ESC Management Functions

• Agentless VNF management (Any Vendor, Any Application, Any VNF) onboard • VNF lifecycle management (Create, Read, Delete)

• VNF Day0 configurations VNF/VM deploy undeploy • VM and service monitoring

• VNF Auto-healing, recovery Elastic Services • Service elasticity Controller update (ESC) monitor • VNF license management

• Multi-VIM Infrastructure support

• End to End customization support for VNF operations Healing / fault- scale • Transaction resume and rollback recovery

• Coupled VNF management (VM Affinity/Anti-affinity, startup order, VM interdependency )

• Service Advertisement

72 Elastic Service Controller Components

NSO Programmable Interface to ESC allows Functional Interaction to ESC Subcomponents. Allows Modular Communication API Confd with NSO. VM Provisioning & Data Model Driven. Configuration Module

Elasticity Affinity Rules and Scale Requirements for the VNF Scale OpenStack Rules Engine components. Also Service Up/Down manages the startup Provisioning Public Clouds sequences. Day 0 Config Service Monitor Ganglia Custom ESC uses SNMP multidimensional approach to VNF VNS Bring-up & Initial Elastic Services Controller DHCP Monitoring/Restartability Configuration (ESC) Application. Custom Multi-vendor Support.

73 Elastic Services Controller VNF Lifecycle Management – Monitoring & Elasticity Elastic Services Controller

VNF VNF VNF Monitor Analytic Engine Rule Engine Provisioning Configuration

Provision Configure Service Custom Script VM Service Predefined Action Overloaded/Underloaded Action VM Bootstrap VM Service Bootstrap Service VM Custom Script Service Predefined Action process alive Process alive Overloaded/Underloaded Action Functional Custom Script Predefined Action Service DEAD Action Custom Script Predefined Action Predefined Action Predefined Action VM DEAD Action Custom Script Custom Script Action Action List of Events List of Actions Simple Rules Complex Rules Service Alive => • Notify (callback) Service Alive => Advertise, Notify • VM Alive advertise • Service Alive • Advertise Service • Withdraw Service VM Dead => • Upper load threshold crossed Upper load => Scale up, Notify, Advertise • Lower load threshold crossed • Restart VM withdraw • Service Dead • Scale up (add a VM) Upper load => scale • VM Dead • Scale down (remove a VM) Service Dead => Withdraw, Notify, Restart • Individually customizable up action(s) for every event

74 Elastic Services Controller Modularity Southbound VIM Northbound Orchestration System

vCenter Elastic Cisco Network Services Orchestrator Services Controller Direct Hypervisor Openstack Heat LibVirt* VNF Lifecycle Orchestration management API / Netconf/ Openstack/KVM* Yang Any 3rd Party NFV Service Ubuntu Monitoring, Orchestrator Elasticity and Recovery Linux Containers* Clouds* Yang Model driven or API Integration

* Planned 75 Network Services Orchestrator (NSO)

79 Network Service Orchestrator Hierarchy

80 Network Service Orchestrator Hierarchy

Industry leading capability in NG SP YANG device management

81 Network Service Orchestrator Hierarchy

Common mechanism for Network Element Driver NED native interface to any HW / SW system YANG

82 Network Service Orchestrator Hierarchy

Abstraction of capabilities and services supported in a device or Device Model system via NED/YANG Network Element Driver NED YANG

83 Network Service Orchestrator Hierarchy

Construct services independent of Service Models infrastructure – reduce workflow in SP infra Device Model

Network Element Driver NED YANG

84 Network Service Orchestrator Hierarchy

Construct services independent of X-Domain infrastructure – reduce workflow in SP infra Service Models

Service Models

Device Model

Network Element Driver NED YANG

85 Network Services Orchestrator (NSO) Components Rest/NetConf/Yang Service Models written in Yang Abstract Service from Service Intent Service Intent Service Intent underlying physical devices

Network Services Orchestrator Service Manager Interprets Service Intent with Service Instantiation Rules and derives configuration deltas. Zero Touch Deployment (ZTD) PnP Server Service Manager

Mapping Transaction Database Transactional Database Allows full Maps the Service Intent to Controller (CDB) CRUD capabilities to Services. the Derived Device Topology. Known as Device Manager “Fastmap” Device Manager manages derived and validated configurations in a Network Element transaction manner towards derived Open Method for ZTD Open PnP Drivers Access infrastructure. Network Element Drivers Abstract the interfaces to the devices allowing 3rd party infrastructure to Domain Controller participate in Service Instantiation (i.e. ESC) ISR x86 Virtual

86 Network Services Orchestrator Hierarchy

YANG Business Service Model Service Model Constructed From

Topologies Topology

Connecting Component YANG Service Models Component Services Consuming Capabilities Exposed in Network Element YANG device models/NEDs Driver NED

87 Hardware Components

88 Hardware Components Compute For Any Place, Segment, or Environment UCS B-series UCS M-series

UCS Mini

UCS C-series

ISR Embedded ISA 3000 UCS E-series Industrial Appliance

89 Use Cases

90 Solutions

10000

1000 Virtual Managed Services Virtual Managed Services Cloud VPN 100 MPLS IWAN vBranch 10 Cloud Services Platform

2100 Service or Node VMDensity

1 1 10 100 1000 10000 Sites or Locations 91 Data Center Use Cases CSP-2100

92 Data Center NFV Network Services Use Cases Client ASR Small Medium Large

VPN VPN VPN VPN VPN VPN VPN VPN Services CSR WAAS ASA NAM Controller #1 #2 #3 #4 confd WOC WOC WOC WOC CfgAgent CfgAgent CfgAgent CfgAgent Tenant NFV Hosting Software, Agentless Vagran NSH, and Optional t Access

FW FW FW FW Acceleration Libvirt Tenant Tenant Intel or Chain Memory CPU Storage Cavium Network

Data Data Center MON MON MON MON AccessChain

Servi Servi ces ces Cont Cont FW FW ASA #1 ADC #1 roller ASA #2 ADC #2 roller App conf conf CfgAgent CfgAgent d CfgAgent CfgAgent d

NFV Hosting Software, Agentless Vagr NFV Hosting Software, Agentless Vagr ant ant NSH, and Optional Libvi NSH, and Optional Libvi Access

Acceleration rt Acceleration rt App ADC ADC Me Intel Net Me Intel Net CP Stor or CP Stor or Chain mor wor mor wor y U age Cav k y U age Cav k Access ium ium Chain

Servi Servi ces ces Cont Cont MON MON ASA #1 NAM #1 roller ASA #2 NAM #2 roller Server conf conf CfgAgent CfgAgent d CfgAgent CfgAgent d

NFV Hosting Software, Agentless Vagr NFV Hosting Software, Agentless Vagr ant ant NSH, and Optional Libvi NSH, and Optional Libvi Farm Acceleration rt Acceleration rt FW FW Intel Intel App Me CP Stor or Net Me CP Stor or Net mor U age Cav wor mor U age Cav wor

Chain y ium k y ium k Access Application Server Environment

Application 93 Data Center NFV Historical Physical Network Services

Integrated service modules Catalyst 6500 Integrated Services provide: ACE • Flexibility to choose from range of interface types (1G/10G, WAN interfaces) • Maximize ROI through investment protection FWSM • Leverage switch features (Routing, Virtualization, Netflow) to provide end-to-end solution NAM • Leverage switch qualification like NEBS • Reduce TCO through Infrastructure Simplification

94 Data Center NFV Network, Security, and Load Balancer Admin Challenges

Keeping Up with ESXi Product OpenStack Little or No Access the Server Team and Support Costs Complexity to vCenter Server

Lack of a Toolset to Lack of Linux/OS Comfort with Need for HW Manage Virtual Services Expertise Dedicated HW Performance Appliances (Sometimes)

95 Data Center NFV Hosting Platform Foundational Technologies • Policy management for User and Application Segment • Clustering for HA and scale Enterprise Service Provider Specific • Chaining that is open and OSS Prime/APIC-EM NSO agentless CMS CfgAgent CfgAgent Agent • Service lifecycle management Confd • Provisioning, Operation, Source- Monitoring, Troubleshooting WAAS Fire ASAv CSR Services IPS • Simplified, Libvirt, and Common Control Openstack APIs Technology Stack Cloud OS On Linux KVM • Hypervisor and vSwitch SFC, Custom hardware and I/O drivers provisioning/operations Intel or • Bare-metal provisioning Memory CPU Storage Cavium Network • Hardware acceleration (when necessary) Green - Cisco Value Add

97 Data Center NFV What is the CSP 2100? NSO 4.1, ODL, etc

GUI CLI REST NetConf

3rd OSC CSR XRv ASAv VTS 9000 Parties (ODL)

ConfD, Linux/KVM (RHEL 7.2), OVS, PCIe Passthrough, SR-IOV*

UCS, 1 & 10G SFP+, Crypto (LiquidSecurity)*

98 Data Center NFV CSP-2100 Benefits

Easy-to-use GUI Automation Clustering High Performance • Turn-key and simple • Wire once use many • Shared pool of resources • DPDK • Network, security, and SLB • Use DevOps to • Auto-deploy redundant • PCIe Passthrough admins automate ACI services HA pair (OVS bypass) • Lifecycle Management • RESTful API • One hardware for any • SR-IOV • Provision a new service • NetConf virtual service • HW offload using within minutes • CLI various PCIe cards (future)

99 Data Center NFV What Virtual Services Can I Run on the CSP 2100?

Existing Nexus 1010/1110 Cisco KVM Virtual Services Verified KVM 3rd Party Services Services • Elastic Services Controller • Juniper SRX • Network Analysis Module ESC • Citrix NetScaler VPX vNAM • Virtual Topology System • F5 LTM Virtual Edition VTS • A10 Networks • Virtual Security Gateway • Prime Network Services VSG Controller PNSC KVM Open Operating Systems • Prime Service Catalog PSC • Linux • Virtual Supervisor Module • IOS XRv 9000 • Red Hat VSM • Cloud Services Rotuer CSR • Ubuntu • Adaptive Security Appliance • Windows ASAv • Data Center Network Any KVM-based service Manager DCNM • Open Daylight ODL • Flexpod BMA • RYU

100 Data Center NFV CSP-2100 Places and Virtual Services

Ap Web DB POP p Servers CO COLO HUB DC WAN Edge / DMZ Core Server Farm

• Router • Router • ADC • Firewall • Firewall • WAN Accelerator • Firewall • IDS/IPS • CDN • Monitor • IDS/IPS • Monitor • Remote Access • ADC • Monitor • Management VPN • Firewall • Automation • Extranet VPN • VPN concentrator • IDS/IPS • Security Proxy • WAF

101 Data Center NFV Detailed CSP-2100 Software Block Diagram User

GUI Customer SW NSO

WebServer Rest API CLI Netconf/Yang CSP2100

ConfD AAA C/Python Confd LibVirt Database Images

RHEL 7.2 Kernel • Uses ConfD to supply much of the user interface and configuration storage • IOS-XR -like CLI • REST / NetConf / Yang • AAA

102 Data Center NFV CSP Demo

https://www.youtube.com/watch?v=5Uq7rsfs7wg 103 Data Center NFV CSP Web UI Running on Every Node in the Cluster

104 Cisco Confidential 9 Data Center NFV CSP Cluster Repository

105 Cisco Confidential 10 Data Center NFV CSP Deploying a New Service

106 Cisco Confidential 11 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 107 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 108 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 109 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 110 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 111 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 112 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 113 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 114 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 115 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 116 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 117 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 118 Data Center NFV GUI CLI

Virtual Service Deployment Wizard REST Sample Service Creation - CLI Command conf terminal service tiny_cli memory 4098 disk_size 8 iso_name TinyCore-current.iso power on vnic 0 network_name enp7s0 Sample Service Creation - REST Command curl -ku admin:admin -X POST https://10.29.174.39:443/api/running/services -H "Content-Type: application/vnd.yang.data+json" - d '{"service": {"name":"tiny_rest", "iso_name":"TinyCore-current.iso", "power":"on","memory":"4098","disk_size":"8","vni cs": { "vnic": [{ "nic":"0","type":"access","network_name":"enp7s0 "}]}}}' 119 Data Center NFV Physical Network Ports

120 Cisco Confidential 13 Data Center NFV CSP Services View

121 Cisco Confidential 9 Data Center NFV Confd Autogenerated Yang Sample leaf uuid { container services { type yang:uuid; tailf:cli-drop-node-name; description "uuid of service »; } tailf:unique-selector leaf name { 'service/serial_ports/serial_port' { type string { tailf:unique-leaf 'serial_type'; length 1..32; tailf:unique-leaf 'service_port’; } pattern "[A-Za-z0-9_\-]+ »; } list service { description "service name »; } tailf:cli-enforce-table; leaf memory { tailf:cli-show-template type int32; "$(name|ljust:32) $(power|ljust:6) description "RAM of VSB, in MB"; $(state|ljust:15) $(error)" { default 2048; tailf:cli-auto-legend; } tailf:info "RAM of VSB, in MB"; key name; tailf:cli-show-with-default; tailf:callpoint change_vsb { tailf:transaction-hook subtree; }

122 Data Center NFV Confd Autogenerated Yang Sample (Cont’d)

leaf numcpu { leaf iso_name { type int8; type string { description "number of vcpus for VSB"; length 1..80; default 1; pattern "[A-Za-z0-9_\-\.]+ »; } tailf:cli-show-with-default; } description "path to ISO image »; } leaf macid { leaf vm_type { type uint8; type enumeration { description "short per VSB id, internal only"; enum generic; } default 1; } description "VM type (generic or none)"; leaf disk_loc { default generic; } type string { leaf power { length 1..80; type enumeration { pattern "[A-Za-z0-9_\-\.]+ »; } enum off; description "path to HD image »; } enum on; leaf disk_size { enum reset; type int32; enum reboot; } description "disk size of VSB, in GB"; description "power (off, on, reset, reboot)"; tailf:info "disk size of VSB, in GB"; default off; } default 4; leaf state { tailf:cli-show-with-default; } config false; tailf:cdb-oper { tailf:persistent true;v}

123 Data Center NFV Attaching Virtual Services Virtio To External Networks

Services Control Services Control To Client PNIC1 PNIC1 Firewall Firewall PNIC2 PNIC2

PNIC3 PNIC3 CSP CSP Linux Physical Physical Linux PNIC4 PNIC4 KVM Switch Switch KVM Confd Confd PNIC5 PNIC5

PNIC6 PNIC6 SLB SLB PNICn PNICn To Server • Connect each service to 2 or more external network PNICs using VirtIO to minimize OVS impact on performance (client, server, FT*)

• Rely on physical switches for VLAN stitching

124 Data Center NFV Attaching Virtual Services To External & Internal Networks

Services Control Services Control To Client PNIC1 PNIC1 Firewall Firewall PNIC2 PNIC2

PNIC3 PNIC3 VNIC CSP CSP VNIC Linux Physical Physical Linux PNIC4 PNIC4 vSwitch KVM Switch Switch KVM vSwitch Confd Confd VNIC PNIC5 PNIC5 VNIC

PNIC6 PNIC6 SLB SLB PNICn PNICn To Server 1. Connect client side virtual service to external PNIC facing client

2. Connect virtual services internally to each other automatically creating a vSwitch

3. Connect server side virtual service to external PNIC facing client

125 Data Center NFV CSP Virtual Services Levels Of Control NSO WAAS Firesight Manager Virtual Service CM Router Config Netconf/Yang

CMS CfgAgent NED Agent* Confd Source- WAAS Fire ASAv CSR Services Common IPS Control Technology Stack Cloud OS On Rhel Service Chaining and Optional Acceleration

Intel or Memory CPU Storage Cavium Network

• Platform Management • Virtual Service Management • Confd provides CLI, API, WebUI (hypervisor appliance) • Some virtual services use proprietary agents / managers • NSO provisions virtual services through Netconf/Yang to Confd or 3rd party controller provisions through • NSO offers service/device management for many RESTconf API through Network Element Driver (NED)

126 Data Center NFV CSP Software Release 2.0

• Support for UCSD and Bare Metal Agent BMA for FlexPod Automation

• Multi-disk partition support for services like PNSC and vWAAS

• Day.0 config file support for services like ASAv, CSR and others

• NFS support for image repository or virtual service disk creation location

• Multiple serial console support for services like XRv with 5 serial consoles

• Service Templates to save the virtual service resource configuration and re-use it for launching new virtual services

• Import/export machines (i.e. snapshot)

• Upgraded to RHEL 7.2 from RHEL 7.0 for services like VTS that require nested virtualization

127 Use Cases Branch

128 Branch NFV Trends

• Ethernet handoff availability growing

• IP telephony centralized call control and gateways

• Internet offload

• Direct Internet access

• Availability of virtualized network services

• Re-introduction of centrally managed x86 compute

• Internet of Things (IOT) / Internet of Everything (IOE)

129 Branch NFV Benefits

Reduction of network Automated network elements to manage & deploy operations

Capex reduction by Service Elasticity – deployment of standard Quick time to market x86-based servers

Operational efficiencies Deployment of through virtualization best-of-breed

Reduced complexity OPEX decrease by for High Availability reduction of branch visits or shipments

130 Branch NFV All-In-One AND A La Carte

• All-In-One (Enable Features) • A La Carte (Enable VNF) • Services • Profiles • Route • Cisco All-In-One plus some 3rd party • Accelerate • Possible pure A La Carte with no • VPN Cisco service nodes • Firewall • Customers • Content filtering • Globals and Enterprise • IPS/Snort • Verticals – Retail, Banking, • Products Insurance, etc. • ISR • Meraki • Customers • Commercial • SLED

132 Branch NFV Bank Non-Redundant x86 Virtual Topology

WAN1

WAN

Pass-through Local CSR1 WAAS1 Service 1

inside SRV PNIC

Trunk LAN x86 vSwitch

Virtual Service

133 Branch NFV Bank Redundant x86 Virtual Topology

WAN1 WAN2

WAN WAN

Pass-through Pass-through Local CSR1 WAAS1 Local CSR2 WAAS2 Service 1 Service 2

inside inside SRV SRV

Trunk Trunk LAN x86 LAN x86

134 Branch NFV Insurance Redundant Link x86 Virtual Topology

WAN1

WAN

Pass-through

NAS NGFW CSR WAN2

inside SRV

LAN x86

135 Branch NFV Retail Company Redundant x86 Virtual Topology

WAN1 WAN2

WAN WAN

Pass-through Pass-through

Local Local NGFW CSR NGFW CSR Service 1 Service 2

Trusted Trusted Untrusted Untrusted

Trunk Trunk LAN x86 LAN x86

136 Branch NFV Virtual Managed Services VMS Architecture

Customer Orders Service Tenant Portal Operator Portal

NETCONF/YANG

Network Service Orchestrator (Tail-f NCS)

PnP server Service Assurance

Elastic Services

Provide Day 1 Controller (ESC) Configuration X86 CPE Shipped at Provision Customer CSR1Kv Site, connected & Powered ON OpenStack Internet OVS

Gateway X86 X86 Server vRouter NGFW Establish VPN: IP Overlay, Layer2 vRouter vWSA Linux KVM Confd ESC PnP Functionality X86 CPE Zero Touch Provisioning

137 Branch NFV Insurance Company Planned Architecture and Operations

• Agent Office • 85% of offices have 5 agents • Template Branch Branch • Router/VPN – CSR WAN WAN Edge Edge • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year

Si • Data Center • NAS Manager • Centralized WLC • Centralized call control and gateway

Services Services Host Host 138 Branch NFV Insurance Company Planned Architecture and Operations

• Agent Office

Services Services • 85% of offices have 5 agents Future Ctera Controller Future Ctera Controller Security Security VNF NAS CSR VNF NAS CSR confd confd • Template CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent NFV OS, Agentless NSH*, and NFV OS, Agentless NSH*, and Branch Hardware Drivers KVM Hardware Drivers BranchKVM • Router/VPN – CSR WAN WAN Hardware Hardware EdgeMemory CPU Storage Assist Network Memory CPU Storage Assist EdgeNetwork • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year

Si • Data Center • NAS Manager • Centralized WLC • Centralized call control and gateway

Services Services Host Host 139 Branch NFV Insurance Company Planned Architecture and Operations

• Agent Office

Services Services • 85% of offices have 5 agents Future Ctera Controller Future Ctera Controller Security Security VNF NAS CSR VNF NAS CSR confd confd • Template CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent CfgAgent NFV OS, Agentless NSH*, and NFV OS, Agentless NSH*, and Branch Hardware Drivers KVM Hardware Drivers BranchKVM • Router/VPN – CSR WAN WAN Hardware Hardware EdgeMemory CPU Storage Assist Network Memory CPU Storage Assist EdgeNetwork • NGFW • NAS – Ctera WAN / Internet • $500 per visit • Scheduled 1 time per year • Unscheduled 1-2 times per year • ~10% of offices move per year

Si • Data Center Ctera Ctera

• NAS Manager CCM CCM • Centralized WLC • Centralized call control and gateway WLC WLC

Services Services Host Host 140 Branch NFV Enterprise Branch NFV New Technology Adoption

Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration

Intel or Memory CPU Storage Cavium Network

• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings

141 Branch NFV Enterprise Branch NFV New Technology Adoption

Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration

Intel or Memory CPU Storage Cavium Network Device or Cluster Management • Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings

142 Branch NFV Enterprise Branch NFV New Technology Adoption

Source- Services Future Ctera Controller Fire CSR VNF NAS IPS Enterprise Common CfgAgent CfgAgent CfgAgent CfgAgent confd ESA Group Technology Based NFV Hosting Software, Agentless NSH, and Stack Management Optional Acceleration

Intel or Memory CPU Storage Cavium Network

• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings

143 Branch NFV Enterprise Branch NFV New Technology Adoption Service Provider Multitenant Source- Services Future Ctera Controller VMS Fire CSR VNF NAS IPS Common CfgAgent CfgAgent CfgAgent CfgAgent confd Technology Stack NFV Hosting Software, Agentless NSH, and Optional Acceleration

Intel or Memory CPU Storage Cavium Network

• Adoption Phases • Benefits • Enterprise proves NFV is viable functionally • X86 platform for enterprise and service provider and operationally for any place • Enterprise device, cluster, and group managed • Enterprise operates at sufficient scale to • Enterprise switches to service provider managed understand cost of ownership • Potential for hybrid enterprise and service provider • Enterprise optionally turns over operations to hosting and management managed service providers for cost savings

144 NFV Use Case Summary

• Fog / Edge / Branch • Router, firewall, WOC, CDN, application

VS VS VS • Confd VS VS VS Data center branch/core WAN edge #1 #2 #3 #1 #2 #3 Confd • Router, WOC, firewall, monitor OVS OVS KVM KVM Me Stor Net Me Net mor CPU age wor mor CPU Stor wor • Data center core y k y age k • ADC, firewall, IPS/IDS, monitor WAN / Internet

VS VS VS V V V VS VS VS • Server farm S S S Confd #1 #2 #3 Confd # # # Confid #1 #2 #3 1 2 3

OVS OVS OVS • Firewall, IPS/IDS, monitor M S N KVMt e KVM Internete C Edgeo t KVM m P r w MeDC WAN edge Net o Me Net Stor r U a o mor DCCPU WANStor edgewor • DevOps to automate device package mor CPU age wor g r age registration y k y e k y k

• DeMilitarized Zone (DMZ) Si • Employee Internet Management (ADC, CDS CDS

F-Proxy) V V V V V V V V V V V V S S S S S S S S S S S S # # # Confd # # # Confd # # # Confd # # # Confd 1 2 3 1 2 3 1 2 3 1 2 3 OVS OVS OVS OVS • .com hosting (Router, ADC, firewall, CCMS N S N S N CCM S N M M M M e KVMt e e KVMt e e KVMt e e KVMt e m C o t m C o t m C o t m C o t IDS/IPS, R-Proxy, monitor) o P r w o P r w o P r w o P r w U a o U a o U a o U a o r g r r g r r g r r g r • Extranet (Router, firewall, VPN, IDS/IPS, y e k y e k y e k y e k monitor) 3rd Party 3rd Party

Services Services Services Services Host Pod Pod Host 145 Putting IT Together

156 Enterprise NFV and Cloud Architecture X86 OS Hosting Store Service Repository User & Application Policy Store NFVOS CSP Metapod CSR WOC CDN NAM Apache Apprenda Hortonworks AppExp AppSec AppScale AppMon Linux Windows ESX FW IPS NAS Proxy WAF Pivotal RabbitMQ SAAS User Telephony Branch Policy Policy OSP AzureStack Other Voice DNS VMS Davra MySQL Mantl.io ScaleArc Template

• Local performance • Dynamic scale on x86 • Data protection • Public facing • Local availability • Wire once, run any • Lowest cost presentation • Local processing • Optional acceleration • Fixed/known capacity • Intercompany • Distributed scale • Disaster Recovery • Unknown/burst/one-time

User / Branch Policy Application Policy Application Policy WOC Ctera DNS NAM User / Application Policy Apprda FW SLB Apache Pivotal FW SLB Apache Davra CDN IPS CSR CSR WOC FW ADC RMQ MySQL ScaleArc MapR RMQ MySQL ScaleArc MapR NFV OS with Confd CSP OS with Confd Metapod Openstack Metapod Openstack x86 Compute CSP on UCS OR VMS ASR, Nexus 9000, x86 ACI + UCS Config Config Config Config Config Config Config Config Agent Agent Agent Agent Agent Agent Agent Agent Access Edge Router Core Access Server Access Server

Fog Edge Private Private Public Branch WAN Edge/Core DC/Cloud Cloud Internet Cloud Internet Core Connect 157 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

$100 $100 $100 $100 $100

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

158 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

qcow2$100 and ISO $100 $100 $100 $100

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

159 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

qcow2$100 and ISO $100SFC $100 $100 $100

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

160 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

qcow2$100 and ISO $100SFC $100Fog $100 $100

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

161 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

qcow2$100 and ISO $100SFC $100Fog REST$100 $100

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

162 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100 DOUBLE

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

163 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

164 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200 $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

165 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200 $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

166 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ $200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

167 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 $200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

168 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200

$300 $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

169 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200

PCIe Pass$300 Through $300 $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

170 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200

PCIe Pass$300 Through $300VPP $300 $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

171 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200

PCIe Pass$300 Through $300VPP Public$300 Cloud $300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

172 Welcome to NFV Jeopardy! Virtual Places In Virtual Services Networking The Network Interfaces Automation

DAILY qcow2$100 and ISO $100SFC $100Fog REST$100 $100NSO DOUBLE

VirtIO$200 $200OVS $200DMZ LibVirt$200 Confd$200

PCIe Pass$300 Through $300VPP Public$300 Cloud Netconf$300 $300

$400 $400 $400 $400 $400

$500 $500 $500 $500 $500

$1000 $1000 $1000 $1000 $1000

$2000 $2000 $2000 $2000 $2000

173 Blogs • 2015-11-09 Hubinomics - Open Source Is Eating Vendor Software

• 2015-10-19 From Managing Infrastructure To Offering Outcomes

• 2015-07-27 SDN Is Simply Agent Based Management

• 2015-07-21 A Brief Repeating History of Network Time

• 2015-07-17 Maslow's Hierarchy of Network IT Needs

• 2015-06-25 Virtual Realities - What Virtualization Rates Are Not Telling Us!

174 Call to Action

• Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics

• Meet the Engineer

• Lunch and Learn Topics

• DevNet zone related sessions

175 Complete Your Online Session Evaluation

• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

176 Thank you

177