Brocade Software Networking
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 2
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 3
An Industry in Transition
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC.
4
1995
2015
7BMobile devices
2B Intern
et Users
1BWebsites
1975 Mainframes, PCs SNA Arch, Private Lines
1st Platform
Client-Server LAN/WAN ,Internet & IP Networks
2nd Platform
IT Relevance Gap
Exp
ecta
tions
Delivery
3rd PlatformCloudMobileSocialData Analytics
“Digital business”
What the 3rd Platform Looks Like
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC
5
7BMobile devices
2B Intern
et Users
1BWebsites
IT Relevance Gap
Exp
ecta
tions
Delivery
New IP
Storage
Overlay
UnderlayEdge
SDN
NFV
Orch
Fabrics
ComputeNetworkin
g
3rd PlatformCloudMobileSocialData Analytics
“Digital business”
From To
ClosedProprietary HWProprietary OSProprietary AppsReactiveIsolated elementsManualHigh costSlow innovation
OpenCommodity HWOpen Source OSInteroperable AppsProactiveIntegrated systemAutomatedLow costRapid innovation
New IP—Transformation of the NetworkA Customer Driven Disruption
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 6
The New Vision
Open with a purpose
Innovation at software speeds
Ecosystem-compatible
solutions
Your pace, your path
How You See It Today
Open source, interoperable protocols
Agility, Training, Partnering, Services
Legacy + NG Features, Open
Interfaces
Solutions with interoperable
components
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 7
Software Defined Networking (SDN)A Programmable Network—Design, Build, Manage
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 8
Data Plane
Control Plane
Basic Network Services: Topology Mgr, Switch Mgr, Host Tracker, Stats Mgr
Advantages• Network automation can
integrate with other disciplines
• Less lock-in; Users can choose features to suit their needs
• Networking control can innovate at software speeds
REST APIs
Network protocols like OpenFlow
Applications and Orchestration FrameworksKey Features• Network algorithms
decoupled from Hardware
Network Functions Virtualization (NFV)
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 9
Hardware Software
Router
VPN
Firewall
Advantages• Remove hardware lock-in
• Simplify resource planning
• Enable fast service innovation
• Soft upgrades Meet SLAs
• Reduce CAPEX/OPEX
Main Features• Complex networking functions
in software on commodity servers
• Simpler networking functions in commodity networking devices
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 10
Brocade Software NetworkingAgile, Open, Economics
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 11
Branch Cloud
IPsec
Brocade vRouter Brocade vRouterWeb Client
Brocade SDN Controller
Brocade vADC
Web Server 1
Web Server 2
Web Server 3
Data Center
Virtualized Core for Mobile
12
Brocade SDN Apps
Brocade Flow Brocade Flow Brocade Visibility
It delivers: Backbone Circuit Provisioning
Provides Network sensor services without disruption
Manages Brocade Packet
Use Cases: Software Defined Backbone
A) Threat MitigationB) Large Flow Monitoring
Optimization
A) Traffic aggregation, and load-balancing to
B) Advance/Expert Interface 3rd-party integration
Target Production Backbone- Enterprise- REN- Colo DC
Production Network:- Campus - DC Core/Border - ISP Peering Router - REN HPC
Visibility Network:- Large Enterprise- REN- DC
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
13
Brocade OpenFlow-capable Hardware FamiliesThe MLXe Router and ICX Campus product lines
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
ICX 7450 Switch ICX 7250 Switch ICX 6610 Switch
ICX 6450 Switch ICX 7750 Switch MLXe Series Routers
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 14
15
L2 / L3 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic and OF (1 & 6)
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
16
Priority Data SuperhighwayCampus Slowpath-Bypass Use Case
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer1Incoming flow from
High Performance Workstation/server
2
Routed using normal routed/switched path
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and that it is either a “large flow” or “priority
application”. Programs Brocade ICX/MLXe using the controller to
re-direct the traffic to priority path for this flow
6”White-listed” flow now placed
on priority path and data transfer is faster and more
efficient
Brocade ICX or MLXe
• L2 or L3 redirect action
• Need to ensure flow in both directions is redirected via policy
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
17
Summary of Additional REN Use Cases
Internet
Brocade
MLXe
REST API
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
• L7 / Botnet Attack Mitigation
• L2-L4 Volumetric Attack Mitigation
• BGP Remote Triggered Black Hole (RTBH) Mitigation
• DC Flow Management for Policy-based Security
Thank you
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 18
Backup
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 19
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
20
L7 and Botnet Attack Mitigation
Incoming Attack Flow
Internet
Brocade
MLXe
Brocade
MLXe
Brocade
MLXe
1
Brocade Flow Optimizer initiates mirror action.
2
3 4
IDS detects L7 attack (Example; SYN Flood). API to
BFO to discard flow.
MLXe mirrors flows to IDS.
OF “mirror+normal” action.
OF discard action.
5
6
• Adds ability for advanced DDoS detection, up to L7
• Based upon the IDS (Palo Alto, Arbor etc.) detection capability
• API from IDS to BFO initiates additional discard actions
REST API
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
21
L2-L4 Volumetric Attack Mitigation
Incoming Attack Flow
Local Mitigation: Discard Flow (Redirect Optional)
Internet
Brocade
MLXe
Brocade
MLXe
Brocade
MLXe
1
2
Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack.
3
4 5
• Recommended when incoming aggregate attack traffic is 50% or less
• L2 – L4 local mitigation, based on sFlow sampling and DDoS policy
• OF discard action (Automated, Manual)
• 1/10GbE, 40GbE and 100GbE support
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
22
BGP Remote Triggered Black-Hole (RTBH) Mitigation
Incoming Attack Flow
Mitigation: Discard Flow
Internet
Brocade
MLXe
(Triggering
Device)
Brocade
MLXe
Brocade
MLXe
1
2
Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack.
3
4 5
6
Flow Optimizer initiates CLI static route to MLXe.
MLXe advertises BGP Route (ex: /32, /28, /24, /23)
7
8
Upstream BGP router:A) Discards flow to null0, or
B) Re-directs traffic to cleaning site
• L2 – L4 local mitigation does not protect upstream link
• If upstream link is congested above 50% by DDoS, add ability for RTBH to uncongest
• RTBH is a well known Internet operation
• Automated RTBH reduces mitigation time from 15 minutes or hours ->
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
23
L2 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter
• L2 MLXe
• BFO 1.2 can ignore, push, pop or modify VLAN ID
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
24
L3 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic and OF (1 & 6)
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Enterprise DC Flow Management for Policy-Based SecurityOperator driven or sFlow threshold driven policy enforcement for large trusted flows
Enterprise Datacenter 1One-armed Firewall
Trusted Traffic Flow
WAN
Inline Firewall
Enterprise Datacenter 2
Default Traffic FlowBrocade
SDN Controll
er
Brocade Flow
Optimizer
Internet