More Related Content Similar to Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016) (20) Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)1. Mohamad Ali Fahmi (mofahmi@cisco.com)
Released: March 21st, 2016
Cisco SDN/NFV
Innovations
2. 2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction
• Architecture
• Innovations
• Summary
Agenda
3. 3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• …a new approach*
• …transforming the networking industry - challenging the way we think
about engineering, implementing and managing networks
• …providing new methods to interact with equipment/services –
controllers, APIs
• …empowering external influencers to network design and operations
• …generating a LOT of ‘buzz’ and attention
• …providing a catalyst for traditional Route/Switch engineers to
branch-out
SDN is…
* […not the first attempt!]
4. 4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• …an easy button… but is intending to make things easier for all!
• …a panacea or end-state
• …well or narrowly defined
• …meaning the death of network engineers
• …a mandate for all network engineers to become C and Java programmers
• …a new attempt at network evolution…
SDN is not…
I Wants
SDN
5. 5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Emerging Technologies
Motivations and Strategy
Service
Orchestration
Service
Orchestration
NFVNFV
SDNSDN
SDN – Open and Programmable at all Layers
Simplify / Reduce Complexity
SDN – Open and Programmable at all Layers
Simplify / Reduce Complexity
NFV – Elastic Resource Capacity
Reduce Total Costs Across all Services
NFV – Elastic Resource Capacity
Reduce Total Costs Across all Services
Service Orchestration – Customized Delivery
Automation / Accelerate Time to Revenue
Service Orchestration – Customized Delivery
Automation / Accelerate Time to Revenue
BUSINESS
AGILITY
BUSINESS
AGILITY
OPERATIONAL
SIMPLICITY
OPERATIONAL
SIMPLICITY
PROFITABILITYPROFITABILITY¥£€$
6. 6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Strategy: Various models of
programmability
Vendor-
specific
APIs
Applications
Programmable APIs
Control PlaneControl Plane
Data PlaneData Plane
Vendor
Specific
(e.g. onePK)
1
Applications
Virtual Control PlaneVirtual Control Plane
Virtual Data PlaneVirtual Data Plane
Overlay
Protocols
(e.g.
VXLAN)
Vendor-
specific
APIs
3 Network Virtualization/
Virtual Overlays
Control PlaneControl Plane
Data PlaneData Plane
ControllerController
Data PlaneData Plane
Applications
Vendor-
specific
APIs
OpenFlow
2a Classic SDN
Vendor
Specific
(e.g.
onePK)
ControllerController
Data PlaneData Plane
Applications
Vendor-
specific
APIs
OpenFlow
Control PlaneControl Plane
2b Hybrid “SDN”
Vendor
Specific
(e.g. onePK)
Control PlaneControl Plane
Data PlaneData Plane
CLI, SNMP, …
7. 7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETSI: NFV Reference Architecture
Computing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution reference points Main NFV reference pointsOther reference points
Virtual
Computing
Virtual
Storage
Virtual
Network
NFV Management and
Orchestration
EMS 2 EMS 3EMS 1
Service, VNF and Infrastructure
Description
Or-Vi
Or-Vnfm
Vi-Vnfm
Os-Ma
Se-Ma
Ve-Vnfm
Nf-Vi
Vn-Nf
Vl-Ha
8. 8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETSI: NFV Architecture
Computing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution reference points Main NFV reference pointsOther reference points
Virtual
Computing
Virtual
Storage
Virtual
Network
NFV Management and
Orchestration
EMS 2 EMS 3EMS 1
Service, VNF and Infrastructure
Description
Or-Vi
Or-Vnfm
Vi-Vnfm
Os-Ma
Se-Ma
Ve-Vnfm
Nf-Vi
Vn-Nf
Vl-Ha
Infrastructure
S/W Architecture
Managemen
t and
Operations
9. 9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco NFV Architecture
Legend
VNF Manager
Cisco ESC Cisco CTCM 3rd
Party
NFV-O & Resource Orchestration
NSO – Network Services Orchestrator enabled by Tail-f
North Bound APIs
Virtual Network Functions
Cisco and 3
rd
Party
CSR ASAv vNAM vIPS
vPC-DI vIMS
Video
Opt.
3rd
Party
Cisco Physical Infrastructure
Network VIM
Linux (RHEL 7.1), Hyper Visor (KVM), Host Packages, Software Defined Storage
NFVI Scope
NetworkCompute (UCS) Storage Ceph
UnifiedManagement
withassurance.
UCSD
API
GUI
Virtual Infrastructure Manager
Mercury based on RHEL OSP 7 OpenStack
Assurance
APIC VTS OSCor or
3rd
Party
or
3rd
Party
or
10. 10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Innovations
- vMS
- vBranch
- ACI
- APIC-EM
- Ultra Service Platform
-ACE
11. 11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Managed Services
Today: Network based VPNs + physical
appliances
PE PE
PE
PE
Data Centre
Today
• Physical appliances in DC
• Services in the branch
– Appliances or integrated
Two major disruptors
• Cloud computing
• Overlay VPNs
• Different impacts !
IP/MPLS
12. 12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Managed Services evolution
Option 1: Network based VPNs + cloud
computing
PE PE
PE
PE
Data Centre
• Simplification of the branch
Basic routing
L2 switching
• Primarily an SP play
• Service moves to DC
Virtualized
DCs spread across infrastructure
• Benefits
Reduced equipment costs
Reduced onsite effort
More flexibility
IP/MPLS
13. 13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPE
Cust-A
CPE
Cust-A
CPE
Cust-B
ASA
Over The Top
Access
Flex-VPN
Internet
VR
VR ASA
CPE
Cust-C
CPE
Cust-C
NSO – NFV Orchestrator
Cloud VPN Services
§ 3 Service Models for Enterprise deployment flexibility:
§ Cloud VPN Foundation
§ Cloud VPN Advanced
§ Cloud VPN Advanced w/Web Security
§ CSR1Kv: Virtual Router for Site-to-Site VPN with Secure
IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels
§ ASAv: vFW with NAT and Policy (*)
§ ASAv: vFW with IPSec/SSL Remote Access (*)
§ WSAv for Enhanced Web Security (*)
Management and Orchestration
§ Enterprise Admin Service Interface (Portal) driven service
instantiation
§ Zero-Touch Deployment of enterprise CPE (ISR G2)
§ Model driven Network Services lifecycle management
with Network Service Orchestrator (NSO) from Tail-f
§ VNF lifecycle management with Elastic Services
Controller (ESC)
§ Virtual Infrastructure Managementwith Openstack
featuring: OVS andODL/VPPas SDN Controllers
Advanced
VR
Foundation
CPE
Cust-B
ESC – VNF Manager
VMS Release 2.0: Delivering Comprehensive Cloud VPN Services
WSA
∂
∂
∂
Advanced w/Web Security
PnP RFS VirTo RFS
API
CPE Managed
Orchestration Link
Foundation Service
Direct Internet Access via
“Split Tunnel”
Access Model:
Flex-VPN Links
IPSEC VPN
Service Access
vRouter
Internet Access/
Remote Access
OpenStack – Virtual Infrastructure Manager
14. 14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPE
ISR 800, 1900,
2900, 3900,
Series
VPN Managed
WAN
Managed
Security
VMS 1.0.2 Services
Branch
Branch
Firewall
(ASAv)
Web Security
(WSAv)
vRouter
(CSR1Kv)
CloudVPN
(IPSec)
Internet
Remote Access
CISCO CONFIDENTIAL –
SHARED UNDER NDA ONLY
Scope of Orchestration
15. 15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPE
ISR 800, 1900,
2900, 3900,
4000 Series
VPN Managed
WAN
Managed
Security
VMS 2.0 Services
Branch
Branch
Firewall
(ASAv)
Web Security
(WSAv)
vRouter
(CSR1Kv)
CloudVPN
(IPSec)
Internet
Intrusion
Prevention
(IPSv)
Remote Access
CISCO CONFIDENTIAL –
SHARED UNDER NDA ONLY
Scope of Orchestration
16. 16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPE
ISR 800, 1900,
2900, 3900,
4000 Series
VPN Managed
WAN
Managed
Security
VMS 2.1 Services
Branch
Branch
Firewall
(ASAv)
Web Security
(WSAv)
vRouter
(CSR1Kv)
CloudVPN
(IPSec)
Internet
Intrusion
Prevention
(IPSv)
Remote Access
VMS – Cloud VPN “as a Service”
CISCO CONFIDENTIAL –
SHARED UNDER NDA ONLY
Scope of Orchestration
17. 17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4000 Series
VPNCPE
ISR 800, 1900,
2900, 3900,
4000 Series
Managed
WAN
Managed
Security
VMS 2.2 Services
Branch
Branch
vRouter
(CSR1Kv)
CloudVPN
(IPSec)
Branch
Branch
vPE
(CSR1Kv)
MPLS VPN
(MPLS)
Firewall
(ASAv)
Web Security
(WSAv)
Intrusion
Prevention
(IPSv)
Remote Access
Internet
CPE
Branch
Headquarters
IWANIWAN
Internet
(IPSec)
MPLS VPN
(MPLS)
Internet
DMVPN
MPLS
DMVPN
IWAN
(BR/MC)
CISCO CONFIDENTIAL –
SHARED UNDER NDA ONLY
Scope of Orchestration
18. 18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Delivering services to the branch
Today’s approaches
Good
Best in breed
Customer choice
Modular build-out
Drawbacks
Environmental(space / power / wiring)
Onsite +complex installation
Truck rolls
Benefits
Fully integrated solution
No truck roll
Simpler environmental
Drawbacks
Reduced customerchoice
Upfront hardware investment
Software inter-dependencies
Integrated BranchSolution
Rack and Stack
19. 19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is vBranch Orchestration
IP network
X86 entity CSR1kvASAv vWAAS3rd party
NFV Orchestration (NCS)
User & Operator portal
VNF EMS / NMS /
Controller
• Centrally orchestration branch level NFV solution
• Central portal Infrastructure
• NFV orchestrator - NCS
• VNF EMS / NMS / Controller - choice
• Elastic Services Controller @ branch
GUI + Local life cycle management
• x86 capability at the branch
20. 20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer Experience in Brief
Order / Customize
Your Services
1
CPE ships (if needed)2
CPE is connected
(if needed)
3
Orchestration
occurs
Automatically!
4
10.12.162.x
Internet
Customer
VPN
Service is up and running
Service
Provider
Cloud
21. 21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Self-Service User and Operator Portals –
Customizable
Service health-awareness resource utilization is integrated with service
orchestration into the operator and end-customer portals.
22. 22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Virtual Managed Services
Cloud VPN and Cloud MPLS Packages
Customers
Flexible CPE
Cisco ISR
Ethernet NID
Self-Service PortalSelf-Service Portal Service Provider Cloud
Cisco®
Virtual Managed Services Platform
Service CatalogService Catalog
Orchestration
Engine
Orchestration
Engine
Open APIs
StorageStorageNetworkNetwork ComputeCompute
vFirewallvFirewall vWSAvWSA vIPSvIPS
Cisco Evolved Programmable Network
vRoutervRouter
Secure Broadband
Secure WAN
IPsec / MPLS
23. 23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
OPEN RESTFUL APIS
CENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER
APIC
ACI BUILDING BLOCKS
NEXT GENERATION NEXUS—TRADITIONAL NETWORKS
POLICY MODEL
ACI
BUILT-IN LINE RATE
END POINT DIRECTORY
INTEGRATED OVERLAY
40G NON-BLOCKING FABRIC
SIMPLE, SECURE
>_>_
50% SIMPLER
CODE BASE
FUTURE PROOF
UPGRADABLE
TO ACI
PROGRAMMABILITY
AND AUTOMATION
NETWORK
VIRTUALIZATION
SUPPORT
RESILIENCY:
IN SERVICE PATCHING,
UPGRADE, FAST
RESTART
ACI BUILDING BLOCKS
FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI
NEXUS 9500 and 9300
INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PRICE POWER EFFICIENCYPROGRAMMABILITYPORT DENSITYPERFORMANCE
OPTIMIZED NX-OSSCALE OUT WITHOUT COMPROMISE
COMMON BUILDING BLOCKS -ACCESS AND CORE
APIC
24. 24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physicalor virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physicalor virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
DB TierDB Tier
StorageStorage StorageStorage
Application
Client
Web
Tier
Web
Tier
App TierApp Tier
Application policy model:Defines the
application requirements (application
network profile)
Policy instantiation:Each device
dynamically instantiates the required
changes based on the policies
VMVM VMVMVMVM
10.2.4.7
VMVM
10.9.3.37
VMVM
10.32.3.7
VMVMVMVM
APIC
25. 25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI Introduces Logical Network
Provisioning of Stateless Hardware
Cisco®
ACI Fabric
Scale-Out Penalty-Free Overlay
App DBWeb
QoS
Filter
Filter
ServiceService
QoS
Filter
Outside
(Tenant VRF)
Cisco Application
Policy Infrastructure
Controller (APIC)
26. 26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TWO TYPES OF LANGUAGES
Infrastructure Language App Language
Human
Translator
• Application Tier Policy and
Dependencies
• Security Requirements
• Service Level Agreement
• Application Performance
• Compliance
• Geo Dependencies
• VLAN
• IP Address
• Subnets
• Firewalls
• Quality of Service
• Load Balancer
• Access Lists
27. 27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC-EM: Common Policy Model from Branch to
Data Center
Application Network Flow Profile
SLA, Security, QoS, LoadBalancing
User and Things Network Profile
QoS, Security, SLA, Device, Location,Role
Cloud Data Center WAN Access
POLICY
DATACENTER WAN AND ACCESS
CISCO® ADVANTAGE
BROWNFIELD AND
GREENFIELD
END TO END
POLICY FRAMEWORK: FOCUS ON
APPLICATION AND USER ENABLEMENT
28. 28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Mobile Network
Firewall vPolicy
Pkt. Core Voice DPI
Physical Mobile Network
Services Core
Ultra Service Platform : From Physical to
Virtualized Mobile Networks
Firewall vPolicy
Pkt. Core Voice DPIVoice
Infrastructure
NFV
Services
Virtual Functions
VNFM
VIM
MANO
NFVO
InternetVoice
VPC Voice SecurityvDPI vPolicy
EMS EMS EMS
29. 29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service:
Controller
Minimal but “Sufficient” distributed control plane on network nodes
Centralized intelligence on the SDN service controller
Transport:
Segment Routing
Auto-discovery
Agile Carrier Ethernet - ACE
• Transport: Autonomic self-deployed and self-protected, dynamic,
ECMPs, flexible traffic engineering
• Service: SDN + BGP for service, programmable
Agile Carrier Ethernet
SDN Controller
Netconf/yang
30. 30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agile Carrier Ethernet - ACE
Autonomic
Networking
Autonomic
Networking
Segment
Routing
Segment
Routing
SDN
Orchestration
SDN
Orchestration
Virtual Out of Band Channel
Autonomic Control Plane
Secure & Zero Touch
deployment
Auto IP / IP unnumbered
Reduced Protocols
Application Integration
TI-LFA
Simplified TE
NSO / Tail-F for Service and
static Label provisioning
XRv for central control plane
Open SDN Controller and
WAE as add-ons for SR TE
31. 31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Autonomic Networking: Secure, Plug-n-Play
RegistrarDark
Layer
2
Cloud
Michael
Steve
AAA Misconfig /
Routing Misconfig
`
• Plug-n-Play: New node use v6 link local address to build adjacency with existing nodes,no
initial configuration is required
• Secure: New node is authenticated using its ID, and then build encrypted tunnel with its adjacent
nodes
• Always-on VOOB: Consistentreachability between Controller and network devices over Virtual
Out-of-band managementVRF. Even with user mis-configuration,the VOOB will still remain up
32. 32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Evolution with Segment Routing
(SR)
• Application Enabled Forwarding
- Each engineered application flow is mapped on a path
- A path is expressed as an ordered list of segments
- The network maintains segments
• Simple: less Protocols, less Protocol interaction, less state
- No requirement for RSVP, LDP
• Scale: less Label Databases, less TE LSP
- Leverage MPLS services & hardware
• Forwarding based on Labels with simple ISIS/OSPF extension
• 50msec FRR service level guarantees
• Leverage multi-services properties of MPLS
Millions of
Applications
flows
A path is
mapped on a
list of
segments
The network
only
maintains
segments
No
application
state
The state is no longer in the network but in the packet
33. 33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AggregationAccess AccessAggregationCore
DC
Unified MPLS with SR ß Simplified MPLS Transport
• Isolated network domains with common IP/MPLS technology using segment routing
• Autonomic: auto-discovery, plug-n-play
• Intra-domain routing: shortest-path, TI-FRR, anycast node SID for node redundancy
• Inter-domain routing: SDN controlled inter-domain end-to-end routing
• Back compatible: with existing unified MPLS network, LDP/RSVP-TE, RFC 3107
Metro IGP domain Metro IGP domain
DC domain
Core IGP domain
A B
GW1
GW1
GW2
GW2
Controller
ACE Transport: Unified MPLS with Segment
Routing
34. 34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CoreMetro1 Metro2
A B
GW21
1002
GW22
1002
GW11
1001
GW12
1001
IGP/SR metro
island
IGP/SR metro
island
Core IGP
NSO
Low latency path SR-TE binding SID:
16888 à [SID list
for the SR-TE RED]
SR label: [1001, 16888,B]
OSC/WAE WAE calculate the path and provide the
information to NSO
ACE Transport Architecture:
SDN controlled end-to-end LSP (SR segment list)
SR-TE
SR binding SID provide an enhanced
inter-domain TE without require deep
label stack support on the access nodes
BGP-LS
35. 35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AggregationAccess AccessAggregationCore
Unified VPN simple service model
• P2P L2VPN: static PW provisioned by NSO
• MP L2VPN: static PW within the domain, EVPN between domains
• L3VPN: centralized on the GW node using PWHE virtual interface
IP-VPN
A B
GW1
GW1
GW2
GW2
ACE Service Architecture: Unified VPN Service
Model
PW PW
PWHE PWHE
EVPNPW PW
PW
P2P L2VPN
MP L2VPN
L3VPN
VPN service provisioning
NSO
36. 36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automate Service Provisioning through SDN
A B C
M N O
Z
D
P
§ Label stack between service nodes is provided through Segment Routing
§ SDN controller pushes static service labels on the end nodes through e.g. Netconf/Yang,
optionnally stitching may be used on the mid-nodes
§ Service nodes implement forwarding service (L3/L2 based), distributed or centralized
Controller Service Provisioning
CE
Automation through open API’s
VRF
Static PW LabelStatic PW Label
Node Anycast GW
A 101
Z 101
Service Label
PW-123 123
PW-234 234
VRF VRF
SP’s OSS/BSS
37. 37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optimize Infrastructure with SDN WAE
Controller
Path AZ expressed as
{66, 68, 65}
A B C
M N O
Z
D
P
FULL
66
68
65
§ SDN controller, such as WAN Automation Engine, monitors and re-optimizes the
infrastructure according to Service Provider business rules (h, link cost, delay)
§ SDN controller modifies instantaneously network flows by pushing label stack to
source node only
§ PCEP provides programmatic interfaces to the source nodes while BGP-LS
provides network state to the controller
PCEP
BGP-LS
38. 38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From device-centric to network-as-platform
Orchestration
SDN Controller
Orchestration
Orchestration
SDN Controller
Centralized service
provisioning
Work with existing network
devices
On Device
Minimal but sufficient
AN: Autonomic Networking
SR: Segment Routing
VPN services: eVPN + static PW
Network as Platform
Fully programmable
Device is PnP component
NSO
NSO
WAE
NSO
XRv+ODL
WAE
Next: ACE Network-as-PlatformNow
NSO: Network Service Orchestrator
WAE: Wan Automation Engine
ODL: Open Daylight
39. 39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
§ SDN NFV is evolving , Cisco is developing solutions based on Open Standard and Market
Requirements
§ SDN NFV is coveringAll segments in the network
§ NFV is getting mature and a lot of deployment in production
§ Need more Development in SDN Solutions
§ IT Engineers also need to evolve from hardware centric to software centric
§ Basic knolwledge of IT (OS, Network, Hypervisor, etc) is a foundation of SDN NFV
§ Cisco provides development portal for engineers, http://Devnet.cisco.com