SDN & NFV Introduction

Open Source Data Center Networking

Thomas Graf <tgraf@redhat.com>

Red Hat, Inc.

Spring, 2014
Agenda
● Problem Statement
– Networking Challenges
● Path to resolution
– Software Defined Networking, Network
Virtualization, NFV & Service Chaining
● What about Code?
– OpenDaylight, Open vSwitch, OpenStack
● Look Ahead
– Group Based Policy Abstraction
 Problem Statement:
Networking Challenges
She can't take much
more of this, captain!
Managing Forwarding Elements
● Vendor specific management tools
● Little automation
● Slow and error prone

Service Ticket

CLI

Vendor
UI
NetOps
Developer
1d – 2 weeks
 Change in Traffic Patterns
● Increased demand for bisectional traffic
● Limited room for additional costs

95%

20%
5% 80% by 2014*

* Gartner Synergy Report

 Dynamic Workloads
● Virtualization (Live Migration)& Cloud
● Respond in real time
– Services are started/stopped dynamically, network
needs to adapt.
● Bring Your Own Device Live Migration

VM VM

Hypervisor Hypervisor
 Debugging
Debugging complex networks is hard
Cost per Core
 Network Definition
● Collection of endpoints and forwarding
elements
● Responsible for moving packets between hosts
● Source hosts identify destination
● Forwarding elements direct traffic at each
intersection
Classic Forwarding Device

Management
Managementinterface
interface
CLI,
CLI,Console,
Console,SNMP,
SNMP,......

Control
ControlPlane
Plane
Forwarding
ForwardingDecision
Decision(Learning,
(Learning,RIB
RIBLookup),
Lookup),
Routing
RoutingProtocols
Protocols(OSPF,
(OSPF,BGP,
BGP,...)
...)

Data
Data/ /Forwarding
ForwardingPlane
Plane
Fabric,
Fabric,Flow
FlowTable,
Table,Forwarding
ForwardingEngine
Engine
Path to Resolution:
Software Defined
Networking
Software Defined Networking

In the Software Defined Networking architecture, the

control and data planes are decoupled, network
intelligence and state are logically centralized, and the
underlying network infrastructure is abstracted from
the applications.

Software-Defined Networking:
The New Norm for Networks
ONF White Paper
April 13, 2012
 SDN – Abstraction
A logically centralized controller programs the network
based on a global view.

Vendor Specific Protocol SNMP App App App

Controller

Control Plane
Data Plane
Data Plane
Control Plane
Control Plane
Data Plane Data Plane
Data Plane Data Plane
Console
Control Plane Data Plane

Data Plane
“We've taken over the
network”
James Hamilton
VP, Amazon Web Services
Nov, 2013
 What Really Matters
● Closed Source ● Open Source
● Network Engineer ● Network Developer
● Vendor Lead ● Community Driven
● CLIs ● APIs
● Network Appliances ● NFV (Software)
Open Source Defines SDN
 SDN Promises
● Highly automated & dynamically provisioned
● Enables innovation, experimentation &
optimizations
● Virtualizes network & abstracts the hardware
● Makes the network programmable
● Enables overlays with control at edges
 OpenFlow
An Open Standard behind SDN

1. 2.
Match on bits in Execute actions
packet header L2- ● Forward to port

L4 plus meta data ● Drop

● Send to

controller
● Mangle packet

OpenFlow enables networks to evolve, by giving a remote

controller the power to modify the behavior of network
devices, through a well-defined "forwarding instruction
set". The growing OpenFlow ecosystem now includes
routers, switches, virtual switches, and access points
from a range of vendors.

ONF Website
 Programmable Flow Table
● Extensive flow matching capabilities:
– Layer 1 – Tunnel ID, In Port, QoS priority, skb mark
– Layer 2 – MAC address, VLAN ID, Ethernet type
– Layer 3 – IPv4/IPv6 fields, ARP
– Layer 4 – TCP/UDP, ICMP, ND
● One or more actions:
– Output to port (port range, flood, mirror)
– Discard, Resubmit to table x
– Packet Mangling (Push/Pop VLAN header, TOS, ...)
– Send to controller, Learn
 Is it production ready?

Google claims 95% network utilization!

 Path to Resolution:
Network Virtualization
 Network Virtualization
What do we need?
1. Virtualize network topology on Layer 2-7
- Run previous workload without changes
2. Decouple logical from physical topology
- A virtual network should run anywhere
3. Allow for isolated tentant networks
- Multiple customers/applications per network
4. Provide APIs to manage network abstraction
- Orchestrate & automate
 Naive VLAN Mapping
Max 4096 VLANs

Compute Node Compute Node Compute Node

VLAN 1 VLAN 2 VLAN 3

VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3

vSwitch vSwitch vSwitch

Switch

Switch
Switch

Switch
 VLAN Trunking
Max 4096 VLANs

Compute Node Compute Node Compute Node

VM1 VM1 VM1 VM2 VM2 VM2 VM3 VM3 VM3

vSwitch vSwitch vSwitch

Switch

Switch
Switch

Switch
 Network Overlay

Compute Node Compute Node Compute Node

VM1 VM1 VM1 VM2 VM2 VM2 VM3 VM3 VM3

vSwitch vSwitch vSwitch

Switch

Switch
Switch

Switch
 Encapsulation
Stateful Stateless
VPN, L2TP, SSH, ... VXLAN, NVGRE,
Geneve, GUE, LISP,
STT, ..
VXLAN Encapsulation
 Network Abstraction

VM

VM VM
VM VM

VM VM VM
VM

Logical
Switch Switch Switch

Physical
Switch

Switch
Switch

Switch
NFV & Service Chaining
 NFV
Problem Statement
● Non commodity hardware
● Physical install per appliance per site
● Large development barriers
● Innovation constraints & limited competition
 NFV
What do we want?
1. Virtualization
– Run functions on scaleable commodity hardware
2. Abstraction
– Limited dependency on physical layer
3. Programmability
– APIs to implement automation
4. Orchestration
– Centralized orchestration
– Reduced maintenance
NFV
 Who is behind NFV?
● Originally operator driven
– ETSI – European Telecommunications Standards
Institute
● Evolved into a generic concept
● Open to any company
 Service Chaining
Moving network functions into software means that building a
service chain no longer requires acquiring hardware.
 Build your own
Open Source Data Center
OpenDaylight’s mission is to facilitate a community-led,
industry-supported open source platform, including
code and architecture, to accelerate adoption of
Software-Defined Networking and Network Functions
Virtualization.
Framework
Open vSwitch is a virtual multi layer switch for hypervisors
providing network connectivity to virtual machines.

Controller
Controller
(Open
(OpenDaylight)
Daylight)
OpenFlow
OpenFlow/ /OVSDB
OVSDB

Switch
Switch
VM VM VM VM

Switch
Switch
 Open vSwitch
● Apache License (User Space), GPL (Kernel)
● Extensive flow table programming capabilities
● OpenFlow 1.1+ (1.1, 1.2, 1.3, extensions)
● Designed to manage overlay networks
● VLAN, VXLAN, GRE, LISP, ...
● Remote management protocol (OVSDB)
● Monitoring capabilities
 L2 Segregation (VLAN)
VLAN isolation enforces VLAN membership of
a VM without the knowledge of the guest itself.

Host system

Virtual Machine
VLAN 1 VLAN 2
Add Remove
VLAN header VLAN header VM1 VM2 VM3

vSwitch
vSwitch
Open vSwitch

# ovs-vsctl add-port ovsbr port2 tag=10

 Overlay Networks
Tunneling provides isolation and reduces
dependencies on the physical network.

Compute Node 1 Compute Node 2

Controller
Controller
VNET 1 VNET 2 VNET 2 VNET 1

B w

O VS
D Flo

pe D B
O
VM1 VM2 VM3 VM4 VM5 VM6
VS n

n
O pe

Fl
O

ow
Open vSwitch Open vSwitch

Tunnel

Network
Network
 Visibility
Supports industry standard technology to
monitor the use of a network.
●

● NetFlow
● Port Mirroring
● SPAN
● RSPAN
● ERSPAN
 Feature
Quality of Service
● Uses existing Traffic Control Layer
● Policer (Ingress rate limiter)
● HTB, HFSC (Egress traffic classes)
● Controller (Open Flow) can select Traffic Class

Compute Node
VLAN 10

VM1 VM2

1mbit

# ovs-vsctl set Interface port2 \ port1 port2

ingress_policing_rate=1000 ovsbr
 To produce the ubiquitous open source
cloud computing platform that will meet the
needs of public and private cloud providers
regardless of size, by being simple to
implement and massively scalable.
OpenStack Architecture
Overlay Networks with OpenStack Neutron
and Open vSwitch
Compute Node 1 Network Node

A1 br-tun DHCP
br-int

VXLAN

br-tun

br-int

br-ex
B1 L3

Compute Node 2 Compute

ComputeNode
NodeC3
3

A2 A3
C3

br-tun

br-int
br-tun

br-tun
br-int

br-int
VXLAN
B2 B3
B3

VID 11 ↔ VNI 1
VID 49 ↔ VNI 13
 Group Based
Policy Abstraction
Network APIs are there.
Now what?
Applications do not care about
subnets, ports, or virtual networks.
 Application Centric APIs

Allow application administrators to express

networking requirements using group and policy
abstraction.

Leave the technical implementation to the

network.
 Terminology
Connectivity Group: Collection of endpoints (MAC/IP on vNIC)
with a common policy.

Policy: Set of Policy Rule objects describing policy. Policies may

be applied between groups, or alternatively, applied to a single
group using provide / consume relations.

Policy Rule: Specific <classifier, action> pair, part of a policy.

– Classifier: L4 ports + protocol
– Actions: Permit / Deny, QoS action, service chain redirection
 Policy as a Service
● Group is providing service as
defined by policy
● Service mostly unaware of
consumer
 Policy between Groups
● Policy defined between pair of groups
● Policy may apply to multiple relationships
● Producer is aware of consumer
 Example:
Policy between Groups
Questions
 References
Opendaylight Red Hat OpenStack
– http://www.opendaylight.org/ – http://www.redhat.com/openstack/
Open vSwitch OpenStack
– http://www.openvswitch.org/ – http://www.openstack.org/
OpenFlow
– http://www.openflow.org/

Open Networking Foundation

– http://www.opennetworking.org/

Inter-Datacenter WAN with centralized

TE using SDN and OpenFlow [Google]
– http://bit.ly/18zgPE3
Backup
Open vSwitch
Deep Dive
 Flow Table
Controller programs flow table in the slow path that
feeds the flow table in the fast path upon request.

VM VM VM VM
OpenFlow
tap tap tap tap

Slow Path

Open vSwitch
User space
Kernel Fast Path

Physical Interface
 Architecture
Management ovs-ofctl
ovsdb-tool
OpenFlow sFlow
ovs-dpctl ovs-vsctl

(3)
2 upcall
User
space 5 reinject vswitchd ovsdb

Netlink 4

Kernel 6
Datapath
Packet Processing
Flow Table
From Device To Device
Management Workflow
1 7
Promiscuous Mode
 Flow Table Rules
● Flow matching capabilities
● Meta – Tunnel ID, In Port, QoS priority, skb mark
● Layer 2 – MAC address, VLAN ID, Ethernet type
● Layer 3 – IPv4/IPv6 fields, ARP
● Layer 4 – TCP/UDP, ICMP, ND
● Possible chain of actions
● Output to port (port range, flood, mirror)
● Discard, Resubmit to table x
● Packet Mangling (Push/Pop VLAN header, TTL,NAT, ...)
● Send to controller, Learn
 Modifying the Flow Table
Strip VLAN header of all packets from MAC address
11:22:33:44:55:66 and forward packet to port 1.

# ovs-ofctl add-flow ovsbr \

dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1

# ovs-ofctl dump-flows ovsbr

[...]
cookie=0x0, duration=36.24s, table=0, n_packets=0,
n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66
actions=strip_vlan,output:1
 Megaflows
● Fast path made capable of handling wildcard flows
● Transparent optimization

in_port=3
src_mac=02:80:37:ec:02:00, in_port=3,
dst_mac=0a:e0:5a:43:b6:a1, src_mac=02:80:37:ec:02:00,
vlan=10, dst_mac=0a:e0:5a:43:b6:a1,
eth_type=0x0800 vlan=10
ip_src=10.10.1.1,
ip_dst=10.10.1.2,
tcp_src=80,
tcp_dst=32990,
...
 Multi Threading
● Multiqueue NICs spread load across all cores
● Maps kernel NIC Queue => CPU core mapping to user space
● Allows slow path to scale across cores

ovs-vswitchd OVS OVS OVS

CPU CPU CPU CPU CPU CPU

Core 1 Core 2 Core 3 Core 1 Core 2 Core 3

NIC NIC
Examples
 Defining a Switch & Ports
Creating a new virtual switch “ovsbr” with port “vm1”
# service openvswitch start
# ovs-vsctl add-br ovsbr
Compute Node
# ovs-vsctl add-port ovsbr port1
VM1

# ovs-vsctl show port1

7c68e54f-1618-41f4-bd16- ovsbr
2fd781488266
Bridge ovsbr
Port ovsbr
Interface ovsbr
type: internal
Port "port1"
Interface "port1"
ovs_version: "1.7.3"
 Using Red Hat ifcfg-

/etc/sysconfig/network-scripts/ifcfg-ovsbr
TYPE=OVSBridge
DEVICE=ovsbr Compute Node
ONBOOT=yes
VM1

port1
/etc/sysconfig/network-scripts/ifcfg-port1
TYPE=OVSIntPort ovsbr
OVS_BRIDGE=ovsbr
DEVICE=port1
ONBOOT=yes

# ifup port1
 ... with libvirt

/etc/sysconfig/network-scripts/ifcfg-ovsbr
TYPE=OVSBridge
DEVICE=ovsbr Compute Node
ONBOOT=yes
VM1

UUID
virsh# edit <domain>
<interface type='bridge'> ovsbr
<source bridge='ovsbr'/>
<virtualport
type='openvswitch' />
</interface>

Start VM and it just works!

 VLAN Isolation

# ovs-vsctl add-port ovsbr port2 Compute Node

tag=10 VLAN 10

VM1 VM2

port1 port2

ovsbr
 Traffic Shaping
Virtual Host
Limit all traffic received from VM on VLAN 10
port port2 to 1Mbit/s VM1 VM2

1mbit

port1 port2

ovsbr

# ovs-vsctl set Interface port2

ingress_policing_rate=1000