“You can keep your firewall (if you want to )” Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN
What You Will Learn today (By Demonstration) • 10,000 Foot Views of Software Defined Networking (SDN), OpenDaylight (ODL) and Service Function Chains (SFC) • Solve real world data center problems with ODL • RESTCONF API • ODL Service Function Chaining • Feel free to contact me for any details I don't cover here jsobanski@solers.com https://ask.opendaylight.org/users/420/runamuck/ 2
Top three emerging technologies of the decade? • My take… • Big Data • DevOps • Software Defined Networks Any Others? 3
“Is SDN Hype ?” • “Big Data and DevOps have clear applications and use cases but Software Defined Networks appears to be a solution in search of a problem .” • “Most SDN activity is focused in Academia or dedicated ‘Network Function Virtualization (NFV)’ shops... not relevant to us.” • "SDN/ NFV only applies to Greenfield Architectures." These slides will prove these opinions wrong 4
“Who cares about networks?” • Answer: You Do! Network latency and/ or loss breaks services. 5
“Latency and Loss doesn’t apply to my Data Center” • “Latency and Loss? I've got dozens of 10GbE ports!!!” • Layer 2: Spanning tree protocol • Blocks all but one path to prevent loops • (Enable LACP/ LAG) • Layer 3: Shortest path first • Sends all traffic through a congested "one hop" path over a wide open "two hop" path • (Try Traffic Engineering) • Layer 4: Default TCP buffers • Small buffers mean more round trips. Latency throttles throughput. • (Tune the buffer) You need to care about the network! 6
What are Network Services? • Familiar Network Services • Load Balancing • Firewall • Deep Packet Inspection (DPI) • Access Control Lists • Parental Control • Other Network Services • "Global State" (Routing) • Broadcast Domain Scoping (VLAN) • Resource Signaling • Prioritization and Preemption • Multicast • N-Cast 7
10,000 Foot Overview • 10,000 Foot view of SDN • At any give time, use a centralized controller to move data through your network equipment as you see fit • Doesn't seem like a big deal to non-network types but this is incredibly powerful! • 10,000 Foot view of OpenDaylight • Allows you to install network services as "Apps" • Provides a single REST API to configure heterogeneous hardware • This is a “no brainer” for developers but is HUGE for network engineers • 10,000 Foot view of Service Function Chains • “Service Overlay” • Divorce Network Services From Topology • For more detail see: • https://www.opennetworking.org/sdn-resources/sdn-definition • http://www.opendaylight.org/project/technical-overview • https://wiki.opendaylight.org/view/Service_Function_Chaining:Main 8
A Little More Detail: SDN Layers • Top Layer Northbound • Network Apps & Orchestration • Business logic to monitor and control network behavior • Thread services together • Middle Layer Controller Platform • Exposes "Northbound" APIs to the Application layer • Lower Layer Southbound • Command and control of hardware • Network Devices (Physical or Virtual) • Switches, Routers, Firewalls etc. 9
A Little More Detail: OpenDaylight • OpenDaylight • Open source project • Modular/ Pluggable and flexible controller platform • Java Virtual Machine (JVM) • Dynamically Pluggable Modules for Network Tasks • OSGi framework (local applications)/ bidirectional REST (local or remote) for the northbound API • Network Apps • House business logic and algorithms • Gather network intelligence from the controler • Run algorithms to perform analytics • Orchestrate new rules (if any) via controller • Southbound • OpenFlow 1.3, OVSDB, SNMP, CLI • Service Abstraction Layer links Northbound to Southbound 10
A Little More Detail: ODL 11
A Little More Detail: SFC • SFC enables a “service topology” • Overlay built “on top” of existing network topology • Use any overlay or underlay technology to create service paths • VLAN, ECMP, GRE, VXLAN, etc. • SFC provides resources for consumption • Service Topology connects those resources • Quickly/ Easily add new service functions • Requires no underlying network changes 12
One Caveat Before we begin • WARNING: Software Defined Networking is incredibly powerful! • You must protect your Southbound interfaces with the same regard as a firewall or any root privileges • ODL accommodates TLS for Southbound interfaces • The security, identity and bureaucratic planes are orthogonal to the technology plane we discuss here • We do not discuss security, identity or policy but you must consider them when architecting your ODL solution 13
One more Caveat • WARNING: If you are not a hands-on network engineer, this presentation may "spoil" you. • To provide the following two OPSCON using legacy protocols may be impossible and at the very least requires intense, disciplined, meticulous network engineering. 14
DPI Bypass Approach #1: RESTCONF API 15
OPSCON #1: Deep Packet Inspection Bypass • This scenario investigates how to reduce latency • You have a data center that performs deep packet inspection (DPI) for inter-network flows • DPI injects latency into the end to end (E2E) flow and increases Round Trip Time (RTT) Reminder: Network latency and loss breaks services! 16
Topology • Network gateways in Firewall/ DPI appliance • VLAN steer (bent pipe) traffic through DPI (via gateways) for inter-network flows • Can we create logic to DPI only once? 17
One Approach • Put logic (i.e. rules) in the DPI appliance to bypass certain flows • This, however consumes resources and can saturate the backplane Put logic here? 18
Better Approach • Use the OpenDaylight controller and put logic in the switch! Put logic here! 19
OPSCON #1 Detailed Topology 20
DPI Bypass Demo Approach #1: RESTCONF API Note: This section will be a live demonstration 21
Step 1: Start ODL Platform via Client • Platform includes controller • Install Network Apps via command line 22
Validate Topology • Connect to controller and “ pingall ” 23
ODL Shows the Layer 2 Interfaces 24
Baseline: Two DPI = Severe Latency • Ping from Client (h1) to Server (h3) shows 40+ ms latency mininet> h1 ping h3 PING 10.0.3.101 (10.0.3.101) 56(84) bytes of data. 64 bytes from 10.0.3.101: icmp_seq=1 ttl=62 time=42.1 ms 64 bytes from 10.0.3.101: icmp_seq=2 ttl=62 time=41.3 ms 64 bytes from 10.0.3.101: icmp_seq=3 ttl=62 time=41.1 ms ^C --- 10.0.3.101 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 41.119/41.546/42.143/0.465 ms 25
Baseline: End to End (E2E) Path • Traceroute shows a path through the two DPI gateways, as expected mininet> h1 traceroute -n h3 traceroute to 10.0.3.101 (10.0.3.101), 30 hops max, 60 byte packets 1 10.0.1.1 21.180 ms 21.028 ms 20.837 ms 2 10.0.2.1 42.565 ms 42.482 ms 42.418 ms 3 * * 10.0.3.101 43.144 ms mininet> 26
Configure Switch via ODL Platform REST API 27
Configure Switch via ODL Platform REST API • Use these headers: Accept: application/xml Authorization: Basic YWRtaW46YWRtaW4= • Then post the following flows (next slide) to Switch 2's table zero: PUT flow with ID 202 to http://<controller_ip>:8181/restconf/config/opendaylight- inventory:nodes/node/openflow:2/table/0/flow/202 PUT flow with ID 303 to http://<controller_ip>:8181/restconf/config/opendaylight- inventory:nodes/node/openflow:2/table/0/flow/303 28
RESTCONF Flows (XML) 29
The Switch Accepts the Flows $ sudo ovs-ofctl -O OpenFlow13 dump-flows s2 cookie=0x0, duration=350.260s, table=0, n_packets=0, n_bytes=0, priority=200,ip,nw_dst=10.0.3.101 actions=set_field:f6:2f:25:06:ab:27- >eth_dst,output:4 cookie=0x1, duration=33.552s, table=0, n_packets=0, n_bytes=0, priority=200,ip,nw_dst=10.0.1.101 actions=set_field:f2:3e:8d:a4:71:07- >eth_dst,output:5 30
Latency Reduced • Ping now shows that the second, slow DPI is no longer in the path: mininet> h1 ping h3 PING 10.0.3.101 (10.0.3.101) 56(84) bytes of data. 64 bytes from 10.0.3.101: icmp_seq=1 ttl=63 time=21.3 ms 64 bytes from 10.0.3.101: icmp_seq=2 ttl=63 time=20.9 ms 64 bytes from 10.0.3.101: icmp_seq=3 ttl=63 time=20.7 ms ^C --- 10.0.3.101 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 20.713/20.983/21.320/0.252 ms 31
Latency Reduced • Traceroute Confirms that the flow bypasses the second DPI mininet> h1 traceroute -n h3 traceroute to 10.0.3.101 (10.0.3.101), 30 hops max, 60 byte packets 1 10.0.1.1 21.117 ms 20.796 ms 20.423 ms 2 10.0.3.101 24.597 ms 24.477 ms * 32
DPI Bypass Demo Approach #2: ODL SFC 33
A Little More Detail: ODL ODL Provides a Northbound SFC “App” 34
Recommend
More recommend