you can keep your firewall if you want to
play

You can keep your firewall (if you want to ) Practical, simple and - PowerPoint PPT Presentation

You can keep your firewall (if you want to ) Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN What You Will Learn today (By


  1. “You can keep your firewall (if you want to )” Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN

  2. What You Will Learn today (By Demonstration) • 10,000 Foot Views of Software Defined Networking (SDN), OpenDaylight (ODL) and Service Function Chains (SFC) • Solve real world data center problems with ODL • RESTCONF API • ODL Service Function Chaining • Feel free to contact me for any details I don't cover here jsobanski@solers.com https://ask.opendaylight.org/users/420/runamuck/ 2

  3. Top three emerging technologies of the decade? • My take… • Big Data • DevOps • Software Defined Networks Any Others? 3

  4. “Is SDN Hype ?” • “Big Data and DevOps have clear applications and use cases but Software Defined Networks appears to be a solution in search of a problem .” • “Most SDN activity is focused in Academia or dedicated ‘Network Function Virtualization (NFV)’ shops... not relevant to us.” • "SDN/ NFV only applies to Greenfield Architectures." These slides will prove these opinions wrong 4

  5. “Who cares about networks?” • Answer: You Do! Network latency and/ or loss breaks services. 5

  6. “Latency and Loss doesn’t apply to my Data Center” • “Latency and Loss? I've got dozens of 10GbE ports!!!” • Layer 2: Spanning tree protocol • Blocks all but one path to prevent loops • (Enable LACP/ LAG) • Layer 3: Shortest path first • Sends all traffic through a congested "one hop" path over a wide open "two hop" path • (Try Traffic Engineering) • Layer 4: Default TCP buffers • Small buffers mean more round trips. Latency throttles throughput. • (Tune the buffer) You need to care about the network! 6

  7. What are Network Services? • Familiar Network Services • Load Balancing • Firewall • Deep Packet Inspection (DPI) • Access Control Lists • Parental Control • Other Network Services • "Global State" (Routing) • Broadcast Domain Scoping (VLAN) • Resource Signaling • Prioritization and Preemption • Multicast • N-Cast 7

  8. 10,000 Foot Overview • 10,000 Foot view of SDN • At any give time, use a centralized controller to move data through your network equipment as you see fit • Doesn't seem like a big deal to non-network types but this is incredibly powerful! • 10,000 Foot view of OpenDaylight • Allows you to install network services as "Apps" • Provides a single REST API to configure heterogeneous hardware • This is a “no brainer” for developers but is HUGE for network engineers • 10,000 Foot view of Service Function Chains • “Service Overlay” • Divorce Network Services From Topology • For more detail see: • https://www.opennetworking.org/sdn-resources/sdn-definition • http://www.opendaylight.org/project/technical-overview • https://wiki.opendaylight.org/view/Service_Function_Chaining:Main 8

  9. A Little More Detail: SDN Layers • Top Layer  Northbound • Network Apps & Orchestration • Business logic to monitor and control network behavior • Thread services together • Middle Layer  Controller Platform • Exposes "Northbound" APIs to the Application layer • Lower Layer  Southbound • Command and control of hardware • Network Devices (Physical or Virtual) • Switches, Routers, Firewalls etc. 9

  10. A Little More Detail: OpenDaylight • OpenDaylight • Open source project • Modular/ Pluggable and flexible controller platform • Java Virtual Machine (JVM) • Dynamically Pluggable Modules for Network Tasks • OSGi framework (local applications)/ bidirectional REST (local or remote) for the northbound API • Network Apps • House business logic and algorithms • Gather network intelligence from the controler • Run algorithms to perform analytics • Orchestrate new rules (if any) via controller • Southbound • OpenFlow 1.3, OVSDB, SNMP, CLI • Service Abstraction Layer links Northbound to Southbound 10

  11. A Little More Detail: ODL 11

  12. A Little More Detail: SFC • SFC enables a “service topology” • Overlay built “on top” of existing network topology • Use any overlay or underlay technology to create service paths • VLAN, ECMP, GRE, VXLAN, etc. • SFC provides resources for consumption • Service Topology connects those resources • Quickly/ Easily add new service functions • Requires no underlying network changes 12

  13. One Caveat Before we begin • WARNING: Software Defined Networking is incredibly powerful! • You must protect your Southbound interfaces with the same regard as a firewall or any root privileges • ODL accommodates TLS for Southbound interfaces • The security, identity and bureaucratic planes are orthogonal to the technology plane we discuss here • We do not discuss security, identity or policy but you must consider them when architecting your ODL solution 13

  14. One more Caveat • WARNING: If you are not a hands-on network engineer, this presentation may "spoil" you. • To provide the following two OPSCON using legacy protocols may be impossible and at the very least requires intense, disciplined, meticulous network engineering. 14

  15. DPI Bypass Approach #1: RESTCONF API 15

  16. OPSCON #1: Deep Packet Inspection Bypass • This scenario investigates how to reduce latency • You have a data center that performs deep packet inspection (DPI) for inter-network flows • DPI injects latency into the end to end (E2E) flow and increases Round Trip Time (RTT) Reminder: Network latency and loss breaks services! 16

  17. Topology • Network gateways in Firewall/ DPI appliance • VLAN steer (bent pipe) traffic through DPI (via gateways) for inter-network flows • Can we create logic to DPI only once? 17

  18. One Approach • Put logic (i.e. rules) in the DPI appliance to bypass certain flows • This, however consumes resources and can saturate the backplane Put logic here? 18

  19. Better Approach • Use the OpenDaylight controller and put logic in the switch! Put logic here! 19

  20. OPSCON #1 Detailed Topology 20

  21. DPI Bypass Demo Approach #1: RESTCONF API Note: This section will be a live demonstration 21

  22. Step 1: Start ODL Platform via Client • Platform includes controller • Install Network Apps via command line 22

  23. Validate Topology • Connect to controller and “ pingall ” 23

  24. ODL Shows the Layer 2 Interfaces 24

  25. Baseline: Two DPI = Severe Latency • Ping from Client (h1) to Server (h3) shows 40+ ms latency mininet> h1 ping h3 PING 10.0.3.101 (10.0.3.101) 56(84) bytes of data. 64 bytes from 10.0.3.101: icmp_seq=1 ttl=62 time=42.1 ms 64 bytes from 10.0.3.101: icmp_seq=2 ttl=62 time=41.3 ms 64 bytes from 10.0.3.101: icmp_seq=3 ttl=62 time=41.1 ms ^C --- 10.0.3.101 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 41.119/41.546/42.143/0.465 ms 25

  26. Baseline: End to End (E2E) Path • Traceroute shows a path through the two DPI gateways, as expected mininet> h1 traceroute -n h3 traceroute to 10.0.3.101 (10.0.3.101), 30 hops max, 60 byte packets 1 10.0.1.1 21.180 ms 21.028 ms 20.837 ms 2 10.0.2.1 42.565 ms 42.482 ms 42.418 ms 3 * * 10.0.3.101 43.144 ms mininet> 26

  27. Configure Switch via ODL Platform REST API 27

  28. Configure Switch via ODL Platform REST API • Use these headers: Accept: application/xml Authorization: Basic YWRtaW46YWRtaW4= • Then post the following flows (next slide) to Switch 2's table zero: PUT flow with ID 202 to http://<controller_ip>:8181/restconf/config/opendaylight- inventory:nodes/node/openflow:2/table/0/flow/202 PUT flow with ID 303 to http://<controller_ip>:8181/restconf/config/opendaylight- inventory:nodes/node/openflow:2/table/0/flow/303 28

  29. RESTCONF Flows (XML) 29

  30. The Switch Accepts the Flows $ sudo ovs-ofctl -O OpenFlow13 dump-flows s2 cookie=0x0, duration=350.260s, table=0, n_packets=0, n_bytes=0, priority=200,ip,nw_dst=10.0.3.101 actions=set_field:f6:2f:25:06:ab:27- >eth_dst,output:4 cookie=0x1, duration=33.552s, table=0, n_packets=0, n_bytes=0, priority=200,ip,nw_dst=10.0.1.101 actions=set_field:f2:3e:8d:a4:71:07- >eth_dst,output:5 30

  31. Latency Reduced • Ping now shows that the second, slow DPI is no longer in the path: mininet> h1 ping h3 PING 10.0.3.101 (10.0.3.101) 56(84) bytes of data. 64 bytes from 10.0.3.101: icmp_seq=1 ttl=63 time=21.3 ms 64 bytes from 10.0.3.101: icmp_seq=2 ttl=63 time=20.9 ms 64 bytes from 10.0.3.101: icmp_seq=3 ttl=63 time=20.7 ms ^C --- 10.0.3.101 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 20.713/20.983/21.320/0.252 ms 31

  32. Latency Reduced • Traceroute Confirms that the flow bypasses the second DPI mininet> h1 traceroute -n h3 traceroute to 10.0.3.101 (10.0.3.101), 30 hops max, 60 byte packets 1 10.0.1.1 21.117 ms 20.796 ms 20.423 ms 2 10.0.3.101 24.597 ms 24.477 ms * 32

  33. DPI Bypass Demo Approach #2: ODL SFC 33

  34. A Little More Detail: ODL ODL Provides a Northbound SFC “App” 34

Recommend


More recommend