Controller

Transcription

Controller
The Definitive Software for Software-defined Networks
Tim Ogden
Arista Networks, Federal
[email protected]
Flow Granular Service Provisioning
Agility
Operational Performance
Sustainable Scale
Agility = Choice of Operating Modes
Interoperate with existing network
architectures and topologies
Transition to and from controllerbased models without hardware
changes
Significantly improves the reliability
and survivability of SDNs by
combining the best of protocol and
controller based models
Low cost ability to shift modes
Controller-less Controller
Mode
Mode
Control
Layer
eAPI or
CLI
Topology
Construction
IS-IS
BGP
OSPF
MLAG
PIM-SM
Pre-SDN Network
L2/L3
L4-7
App
App
Operating System
Routers
Switches
Remote-access devices
…
Packet-Forwarding Hardware
L2/L3
L4-7
App
App
L2/L3
L4-7
App
App
Operating System
Operating System
Packet-Forwarding Hardware
Packet-Forwarding Hardware
‘Purist View’ SDN Network
App
App
App
App
Well-defined
Open API
Central Network Controller/ Network Operating System
OpenFlow
OpenFlow compliant OS
Packet-Forwarding
Hardware
OpenFlow compliant OS
OpenFlow compliant OS
Packet-Forwarding
Hardware
Packet-Forwarding
Hardware
Example: A Reactive Packet Flow
OpenFlow Controller
Arista 7050
2
4
3
12:32:45:67:89:ab | 01:01:01:01:01:01 | 10.0.1.2 | 10.0.1.3 | …
“match xyz, rewrite VLAN, forward to port 42”
1
OF Agent
in Switch
1. Packet enters first OpenFlow switch
10.0.1.2
10.0.1.2
10.0.1.2
5
Proactive is
possible too!
Just skip #1 and
#2…
2. Packet header forwarded to controller (pkt_in)
3. Controller does a “lookup” based on pkt:
Any metadata about src and dst (e.g. tenant)?
Are src and dst on same L2 network?
What is the best path from src to dst?
Any ACLs resolving to ‘drop’?
Any tunnel encap or rewrites needed?
Any other external software/DBs to use (radius, directory)?
4. Controller sends down flow table entries to all switches
on the path (flow_mods)
5. All subsequent matching packets flow at line rate
So… What Then?
Key functions of the OpenFlow 1.0 API
• Controller<->datapath interaction
• Add/delete/modify forwarding entries in the datapath (“flow_mod”)
• Punt packets up to a controller (“packet_in”)
• Send packets to the datapath (“packet_out”)
•
•
•
•
“Matches” on packet fields (L1-L4) with a variety of “actions”
Switching: match L2, forward out port
Routing: match L3, decrement TTL, forward out port
Network Access Control: match ACL, drop
• Query statistics
• Interface counters
• Flow counters
• Forwarding table usage
Controller-less alternative - Digging deeper…
DirectFlow Action
Storm
Control
STP/VLAN
PORT ACL
Port ACL Action
Permit/Drop
DirectFlow
Rule
Ingress
Bridging
Egress
Bridging
Router
ACLs
L3
Forwarding
STP Port State
VLAN Membership Rules
L2 Forwarding Rules
MAC FDB, Static Rules
Layer 3 ACLs
Permit/Drop
Routing Table
Next-hop FDB
DirectFlow applied after L2 VLAN membership decision in
the forwarding pipeline
Egress
ACLs
Controller-less Flow Actions
CPU
Eth-1
VLAN N, Smac-A, Dmac-B
VLAN X, SA, DB
DF Rule
Eth-2
Po-1
Or all ports
in the VLAN
VLAN Y, SA, DB
VLAN Y, Smac-C, Dmac-B
DF Rule
VLAN Z, Smac-A, Dmac-D
VLAN Z, SA, DB
Redirect Traffic to an Interface
Change Egress Frame
• Single Physical or Port-Channel Interface
• Group of Interfaces or the VLANs Flood set
• Send to the CPU
DF Rule
VLAN Z, SA, DB
Change QoS Parameters
•
•
•
•
Change the CoS value of the match flow
Change the ToS value of the match flow
Change the internal TC for the match fl
Change the original Dmac of the frame
VLAN X, SA, DB
VLAN Y, SA, DB + TOS
VLAN X, SB, DA
VLAN Z, DA, DB, Internal TC 5
VLAN X, SB, DA
VLAN X, SA, DB
VLAN N, SA, DB. + Cos 7
VLAN X, SA, DB
VLAN Y, SA, DB
• Change the egress VLAN of the frame
• Change the original Smac of the frame
• Change the original Dmac of the frame
VLAN X, SA, DB
DF Rule
VLAN X, SB, DA
Mirror Traffic
• Mirror specific traffic flows on ingress to a monitor port
• Mirror specific traffic flows on egress to a monitor port
• Mirror specific traffic flows on ingress and egress to a monitor
port
Controller-less Flow Matches/Actions
Match Fields
•
Match on one or multiple Fields
•
•
Match on the SRC/DST (IP, mac, Port)
Actions on Match
•
Actions
•
Action ingress/egress traffic mirror
•
Action set priority
•
Action set VLAN <n>
•
Action set SRC/Dst mac
•
Action set ip TOS
Match on the input (Port or Port-Channel)
•
Match on Ethertype <0-65535>
•
Match on cos <0-7>
•
Match on VLAN ID <0-494>
•
Match on SRC &/or Dst IP/MASK
•
Match icmp code/type
•
Match on protocol number
•
Match SRC/DST Port numbers
•
Match on IP TOS
•
Action output interface <list>, flood, CPU,
drop
•
Action set transmit queue and cos value
•
Action drop
Controller-less Networks - Key Takeaways
•
Paradigm shift to flow-based traffic programmability
•
Choice of Controller-less programmatic control of switch behavior
•
Use dynamic network diagnostic data to programmatically handle
specific traffic flows or exception traffic
State Database
Linux Kernel
Extensible Network O/S
Systems Integration
- F5, Palo Alto, Splunk, etc
KVM - Virtual Machine
Cloud Orchestration API
Multi-device Mgmnt Client
LED
ASIC Drivers
Spanning Tree
Command Line interface
Interface Manager
Routing Protocols
Service Excellence – Programmable networks
Openflow 1.0/1.3
- multi-vendor services
Customized flow pathing
JSON Web Services API
Local Scripts
- Python, TCL, Shell
Local Daemons/Extensions
- C++, Python, etc
Service Excellence – Sustainable Scale
Spline™
Servers
Server Scale:
Middle
of Row
Layer 2 / MLAG
Servers
100 to 2,000
Layer 3 / ECMP
L2 over Layer 3 VXLAN
Servers
Servers
Servers
100 to 10,000
100 to 100,000+
100 to 100,000+
The Definitive Software
-Tim Ogden
@AristaFederal
DirectFlow L2 Feature Interactions
DirectFlow Interaction with L2
Forwarding DB
DirectFlow Interaction with Spanning
Tree
• Even when a flow matches on DirectFlow rule,
SMAC of the flow is still learned and aged as
normal
• Operates after STP logic, packets RX/TX to
a blocking STP port are dropped by STP
• DirectFlow rules have priority over all other
MAC tables rules, static/drop entries
• BPDUs are always forwarded to the CPU ;
can only be acted on by DirectFlow if STP is
disabled
• DirectFlow alters the VLAN, mac address still
learned on the original VLAN
• LACP, LLDP, sFlow packets always trapped
to the CPU
• Egress vlan rules still applicable, so re-write
VLAN must exist on the egress port
• Support for QinQ traffic with match on outer
VLAN TAG
Service Excellence – Operational Performance
Programmability – open and
programmable network operating
system – EOS
Traffic Engineering – broadest set of
controls and options for steering,
shaping, redirecting and copying
traffic
Orchestration – API connections to
cloud and virtualization platforms to
automate provisioning
Network Automation– OpenStack,
OpenFlow, VMware
Heterogeneous SDN Network
App
App
App
Well-defined
Open API
App
Central Network Controller/ Network Operating System
APIs
L2/L3
L4-7
OpenFlow
1.x
Operating System
L2/L3
L4-7
OpenFlow
1.x
Packet-Forwarding Hardware
L2/L3
L4-7
OpenFlow
1.x
Operating System
Operating System
Packet-Forwarding Hardware
Packet-Forwarding Hardware
Software Defined Cloud Networks
Arista DirectFlow Control
Enables direct CLI and eAPI
control over specific flow switching
operations
Extends the capabilities of
OpenFlow with controller-less
operation and enables per-flow
pattern-matching with full control
Arista eAPI or
CLI
Enables firewall load balancing,
purpose-built backup network
consolidation, etc.
Available Summer 2013
Software Defined Cloud Networks
Traditional Routing/Switching Mode
10.11.11.0/24 via Leaf-B
Spine-A
10.11.11.0/24 via Spine-A
10.10.10.2
Leaf-A
Leaf-B
Spine-B
Spine-C
10.11.11.2
Backup
HTTP
SMTP/Mail
SIP/Voice
Software Defined Cloud Networks
Custom Flow Programming
Spine-A
10.11.11.0/24 via Spine-A
@1800-2400 Backup via SpineB
10.10.10.2
10.11.11.0/24 via Spine-C
@1800-2400 Backup via Spine-C
Leaf-A
Leaf-B
Spine-B
Spine-C
10.11.11.2
Backup
HTTP
SMTP/Mail
SIP/Voice
EOS API – Sample Show Request/Response
Response
Request
{
{
"jsonrpc": "2.0”,
"result": [
{ "Ethernet3" :
{
'bandwidth': 10000000,
'description': '',
'interfaceStatus': 'up',
'mtu': 9212,
'physicalAddr': '0000.4401.0001’
}
}
],
“id”: 1
"jsonrpc": "2.0",
"method": "runCli“,
"params": {
"cmds": [
"show interface Ethernet3“,
],
"format": "json" },
"id": 1
}
}
Software Defined Cloud Networks
sysDB - Central State Database
KVM - Virtual Machine
vCenter API
XMPP Client
LED
ASIC Drivers
Spanning Tree
CLI
Interface Manager
Routing Protocols
eAPI links Arista to other industry leaders - bringing
the best together for our customers
eAPI
Stock 2.6.31 x64 Linux Kernel
EOS - Extensible Network O/S
Software Defined Cloud Networks