Controller
Transcription
Controller
The Definitive Software for Software-defined Networks Tim Ogden Arista Networks, Federal [email protected] Flow Granular Service Provisioning Agility Operational Performance Sustainable Scale Agility = Choice of Operating Modes Interoperate with existing network architectures and topologies Transition to and from controllerbased models without hardware changes Significantly improves the reliability and survivability of SDNs by combining the best of protocol and controller based models Low cost ability to shift modes Controller-less Controller Mode Mode Control Layer eAPI or CLI Topology Construction IS-IS BGP OSPF MLAG PIM-SM Pre-SDN Network L2/L3 L4-7 App App Operating System Routers Switches Remote-access devices … Packet-Forwarding Hardware L2/L3 L4-7 App App L2/L3 L4-7 App App Operating System Operating System Packet-Forwarding Hardware Packet-Forwarding Hardware ‘Purist View’ SDN Network App App App App Well-defined Open API Central Network Controller/ Network Operating System OpenFlow OpenFlow compliant OS Packet-Forwarding Hardware OpenFlow compliant OS OpenFlow compliant OS Packet-Forwarding Hardware Packet-Forwarding Hardware Example: A Reactive Packet Flow OpenFlow Controller Arista 7050 2 4 3 12:32:45:67:89:ab | 01:01:01:01:01:01 | 10.0.1.2 | 10.0.1.3 | … “match xyz, rewrite VLAN, forward to port 42” 1 OF Agent in Switch 1. Packet enters first OpenFlow switch 10.0.1.2 10.0.1.2 10.0.1.2 5 Proactive is possible too! Just skip #1 and #2… 2. Packet header forwarded to controller (pkt_in) 3. Controller does a “lookup” based on pkt: Any metadata about src and dst (e.g. tenant)? Are src and dst on same L2 network? What is the best path from src to dst? Any ACLs resolving to ‘drop’? Any tunnel encap or rewrites needed? Any other external software/DBs to use (radius, directory)? 4. Controller sends down flow table entries to all switches on the path (flow_mods) 5. All subsequent matching packets flow at line rate So… What Then? Key functions of the OpenFlow 1.0 API • Controller<->datapath interaction • Add/delete/modify forwarding entries in the datapath (“flow_mod”) • Punt packets up to a controller (“packet_in”) • Send packets to the datapath (“packet_out”) • • • • “Matches” on packet fields (L1-L4) with a variety of “actions” Switching: match L2, forward out port Routing: match L3, decrement TTL, forward out port Network Access Control: match ACL, drop • Query statistics • Interface counters • Flow counters • Forwarding table usage Controller-less alternative - Digging deeper… DirectFlow Action Storm Control STP/VLAN PORT ACL Port ACL Action Permit/Drop DirectFlow Rule Ingress Bridging Egress Bridging Router ACLs L3 Forwarding STP Port State VLAN Membership Rules L2 Forwarding Rules MAC FDB, Static Rules Layer 3 ACLs Permit/Drop Routing Table Next-hop FDB DirectFlow applied after L2 VLAN membership decision in the forwarding pipeline Egress ACLs Controller-less Flow Actions CPU Eth-1 VLAN N, Smac-A, Dmac-B VLAN X, SA, DB DF Rule Eth-2 Po-1 Or all ports in the VLAN VLAN Y, SA, DB VLAN Y, Smac-C, Dmac-B DF Rule VLAN Z, Smac-A, Dmac-D VLAN Z, SA, DB Redirect Traffic to an Interface Change Egress Frame • Single Physical or Port-Channel Interface • Group of Interfaces or the VLANs Flood set • Send to the CPU DF Rule VLAN Z, SA, DB Change QoS Parameters • • • • Change the CoS value of the match flow Change the ToS value of the match flow Change the internal TC for the match fl Change the original Dmac of the frame VLAN X, SA, DB VLAN Y, SA, DB + TOS VLAN X, SB, DA VLAN Z, DA, DB, Internal TC 5 VLAN X, SB, DA VLAN X, SA, DB VLAN N, SA, DB. + Cos 7 VLAN X, SA, DB VLAN Y, SA, DB • Change the egress VLAN of the frame • Change the original Smac of the frame • Change the original Dmac of the frame VLAN X, SA, DB DF Rule VLAN X, SB, DA Mirror Traffic • Mirror specific traffic flows on ingress to a monitor port • Mirror specific traffic flows on egress to a monitor port • Mirror specific traffic flows on ingress and egress to a monitor port Controller-less Flow Matches/Actions Match Fields • Match on one or multiple Fields • • Match on the SRC/DST (IP, mac, Port) Actions on Match • Actions • Action ingress/egress traffic mirror • Action set priority • Action set VLAN <n> • Action set SRC/Dst mac • Action set ip TOS Match on the input (Port or Port-Channel) • Match on Ethertype <0-65535> • Match on cos <0-7> • Match on VLAN ID <0-494> • Match on SRC &/or Dst IP/MASK • Match icmp code/type • Match on protocol number • Match SRC/DST Port numbers • Match on IP TOS • Action output interface <list>, flood, CPU, drop • Action set transmit queue and cos value • Action drop Controller-less Networks - Key Takeaways • Paradigm shift to flow-based traffic programmability • Choice of Controller-less programmatic control of switch behavior • Use dynamic network diagnostic data to programmatically handle specific traffic flows or exception traffic State Database Linux Kernel Extensible Network O/S Systems Integration - F5, Palo Alto, Splunk, etc KVM - Virtual Machine Cloud Orchestration API Multi-device Mgmnt Client LED ASIC Drivers Spanning Tree Command Line interface Interface Manager Routing Protocols Service Excellence – Programmable networks Openflow 1.0/1.3 - multi-vendor services Customized flow pathing JSON Web Services API Local Scripts - Python, TCL, Shell Local Daemons/Extensions - C++, Python, etc Service Excellence – Sustainable Scale Spline™ Servers Server Scale: Middle of Row Layer 2 / MLAG Servers 100 to 2,000 Layer 3 / ECMP L2 over Layer 3 VXLAN Servers Servers Servers 100 to 10,000 100 to 100,000+ 100 to 100,000+ The Definitive Software -Tim Ogden @AristaFederal DirectFlow L2 Feature Interactions DirectFlow Interaction with L2 Forwarding DB DirectFlow Interaction with Spanning Tree • Even when a flow matches on DirectFlow rule, SMAC of the flow is still learned and aged as normal • Operates after STP logic, packets RX/TX to a blocking STP port are dropped by STP • DirectFlow rules have priority over all other MAC tables rules, static/drop entries • BPDUs are always forwarded to the CPU ; can only be acted on by DirectFlow if STP is disabled • DirectFlow alters the VLAN, mac address still learned on the original VLAN • LACP, LLDP, sFlow packets always trapped to the CPU • Egress vlan rules still applicable, so re-write VLAN must exist on the egress port • Support for QinQ traffic with match on outer VLAN TAG Service Excellence – Operational Performance Programmability – open and programmable network operating system – EOS Traffic Engineering – broadest set of controls and options for steering, shaping, redirecting and copying traffic Orchestration – API connections to cloud and virtualization platforms to automate provisioning Network Automation– OpenStack, OpenFlow, VMware Heterogeneous SDN Network App App App Well-defined Open API App Central Network Controller/ Network Operating System APIs L2/L3 L4-7 OpenFlow 1.x Operating System L2/L3 L4-7 OpenFlow 1.x Packet-Forwarding Hardware L2/L3 L4-7 OpenFlow 1.x Operating System Operating System Packet-Forwarding Hardware Packet-Forwarding Hardware Software Defined Cloud Networks Arista DirectFlow Control Enables direct CLI and eAPI control over specific flow switching operations Extends the capabilities of OpenFlow with controller-less operation and enables per-flow pattern-matching with full control Arista eAPI or CLI Enables firewall load balancing, purpose-built backup network consolidation, etc. Available Summer 2013 Software Defined Cloud Networks Traditional Routing/Switching Mode 10.11.11.0/24 via Leaf-B Spine-A 10.11.11.0/24 via Spine-A 10.10.10.2 Leaf-A Leaf-B Spine-B Spine-C 10.11.11.2 Backup HTTP SMTP/Mail SIP/Voice Software Defined Cloud Networks Custom Flow Programming Spine-A 10.11.11.0/24 via Spine-A @1800-2400 Backup via SpineB 10.10.10.2 10.11.11.0/24 via Spine-C @1800-2400 Backup via Spine-C Leaf-A Leaf-B Spine-B Spine-C 10.11.11.2 Backup HTTP SMTP/Mail SIP/Voice EOS API – Sample Show Request/Response Response Request { { "jsonrpc": "2.0”, "result": [ { "Ethernet3" : { 'bandwidth': 10000000, 'description': '', 'interfaceStatus': 'up', 'mtu': 9212, 'physicalAddr': '0000.4401.0001’ } } ], “id”: 1 "jsonrpc": "2.0", "method": "runCli“, "params": { "cmds": [ "show interface Ethernet3“, ], "format": "json" }, "id": 1 } } Software Defined Cloud Networks sysDB - Central State Database KVM - Virtual Machine vCenter API XMPP Client LED ASIC Drivers Spanning Tree CLI Interface Manager Routing Protocols eAPI links Arista to other industry leaders - bringing the best together for our customers eAPI Stock 2.6.31 x64 Linux Kernel EOS - Extensible Network O/S Software Defined Cloud Networks