40
1 IoT Containers David Rodriguez Biz Dev Director Latinamerica Network Business Division May 2017
1
IoT Containers David Rodriguez
Biz Dev Director Latinamerica
Network Business Division
May 2017
2
Agenda
1. Key market trends and ALE Vision
2. ALE key technologies for IoT Containers
3. IEEE SPB
4. IFAB
5. Smart Analytics
6. Key Remarks
2
3
Key market trends
and ALE vision
4
IoT endpoints will grow to 20.8B units in 2020 *4
83% of the 22M smart eyewear devices
shipped in 2019 will go to enterprise use
cases *5
*1 Statista.com: https://www.statista.com/statistics/263441/global-smartphone-shipments-forecast/ * 2 Statista.com: http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/
*3, *5 IDC FutureScape: Worldwide Mobility 2016 Predictions – IDC web conference presentation by John Jackson – Nov 2015 *4 Gartner Report: Infrastructure and Operations Leaders: Prepare for the IoT Rush, 1 March 2016
The growing trends of IoT
5
Connected devices
•Pictures from: https://store.august.com/; http://www.a1securitycameras.com/axis/; http://www.greensahc.com/goodman_hvac_iowa.php; http://www.mitasprinklers.com/impact-sprinklers.html;
http://www.salford.ac.uk/computing-science-engineering/subjects/robotics-and-systems-engineering;
http://www.pcmag.com/article2/0,2817,2498223,00.asp; http://sparc-robotics.eu/fusion-energy/; http://www.hancockcollege.edu/stem/;
http://www.securityinfowatch.com/product/12065885/axis-communications-axis-a8004-ve-network-video-door-station; https://www.cybertrend.com/article/23138/medical-connection-iot-in-health-care
IoT is becoming a common element in every industry sector
6
Cyber security Mobility and IoT are a compounding factor
to the growing trend of cyber attacks
Healthcare: criminal attacks doubled between
2010 and 2015
Higher Education: 2nd highest per capita data
breach cost
Government: 21M social security numbers
compromised in 2015 in the US
Cost of cyber crime increased 33%
from 2013 to 2015
Hacked Cameras, DVRs Powered Massive
Internet Outage (Oct 2016) *3
Team of hackers take remote control of
Tesla Model S (Sep 2016) *2
*1: The Hacker News; The Local (Jan 2017)
*2: The Guardian , Sep 2016: https://www.theguardian.com/technology/2016/sep/20/tesla-
model-s-chinese-hack-remote-control-brakes
*3: KrebsOnSecurity: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-
todays-massive-internet-outage/ Hundreds of guests at luxurious hotel in
Austria were locked out of their rooms (Jan 2017) *1
7
ALE key technologies IoT containment
8
Solution
Tomorrow’s Digital Campus
IoT
Friendly
Pervasive
Mobility &
Collaboration
In Depth
Security
Simplified
Operations
Ultra
Performance
Building Blocks
ALE Universities Reference Architecture
Unified
Access Intelligent
Fabric
Smart
Analytics IoT
Containment
9
The connected university campus
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty
Profile
HVAC System
Profile Security
Profile
Student
Profile
Automation Lab
Profile
Faculty Student Faculty
Faculty Student
Dormitory
Classify
Authorize
Auto
Provision Container
Quality
Security
Universal Profile
10
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty Student Faculty
Faculty Student
Dormitory
HVAC System Container
Classify
Authorize
Auto
Provision Container
Quality
Security
HVAC System Profile
The connected university campus
11
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty Student Faculty
Faculty Student
Dormitory
Classify
Authorize
Auto
Provision Container
Quality
Security
Automation Lab Profile
Automation Lab Container
The connected university campus
12
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty Student Faculty
Faculty Student
Dormitory
Campus Security Container
Classify
Authorize
Auto
Provision Container
Quality
Security
Security Profile
• Allow SIP video
• Allow Door lock protocol
• Drop all other traffic
The connected university campus
13
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty Student Faculty
Faculty Student
Dormitory
Faculty Container
Classify
Authorize
Auto
Provision Container
Quality
Security
Faculty Profile
The connected university campus
14
Stadium Library
Signage
Administration Office Automation Science Lab
Faculty Student Faculty
Faculty Student
Dormitory
Students Container
Classify
Authorize
Auto
Provision Container
Quality
Security
Students Profile
The connected university campus
15
IEEE SPB IoT containment
16
Network Virtualization Shortest Path Bridging (802.1aq)
• Low scalability
• No Mesh topologies
• No shortest path
• High convergence times
• Loops
STP-802.1d based Ethernet
• Scalability to +1000 nodes
• Mesh topologies
• Real Shortest path Routing
• < 100’s ms convergence time
• No loops
• Multiple “Equal Cost Paths”
• MAC abstraction for transit
devices
• 802.1 O&M suit full support
SPB-802.1aq based Ethernet
17
Network Virtualization Shortest Path Bridging (802.1aq) – Spanning Tree Inefficiency
STP
ROOT
Bridge
MACs
M1…M100
Source
Destination-1
Cannot use these links
Inefficient routes
All the nodes on the route need to learn
MAC’s M1-M100
1
2
3
Destination-2
18
Network Virtualization Shortest Path Bridging (802.1aq) – Spanning Tree Inefficiency
All the links are usable
Multiple shortest paths
MAC’s M1-M100 learning
restricted to the edges
1
2
3
PBB encapsulation at the edges
PBB encapsulation at the edges
PBB encapsulation at
the edges
MACs
M1…M100
Source
Destination-1
Destination-2
19
The Distributed Protocols for Control of the Active Topology IEEE 802.1Q
• RSTP: a single spanning tree shared by all traffic
• MSTP: different VLANs may share different spanning trees
• SPB: each node has its own Shortest Path Tree (SPT)
• We are not limited to shared spanning trees any more
• RSTP: a single spanning tree shared by all traffic
• MSTP: different VLANs may share different spanning trees
RSTP Rapid Spanning Tree Protocol
MSTP Multiple Spanning Tree Protocol
SPB Shortest Path Bridging
BR A
BR C
BR B
BR D
BR E BR B
BR D
BR A
BR E
BR C
BR A
BR C
BR B
BR D
BR E
20
Network Virtualization Shortest Path Bridging (802.1aq)
Small VLAN
Networks
2-100 bridges
Based in 802.1ad
Shortest Path Bridging VID (SPBV) Shortest Path Bridging MAC (SPBM)
IEEE 802.1aq
Large PBB capable
Networks
2-1000 bridges
Based in 802.1ah
21
Network Virtualization Shortest Path Bridging (802.1aq) – Some Concepts
• ISIS-SPB A version of IS-IS link state protocol that supports SPB TLV extensions.
• Provider Backbone Bridge (PBB) IEEE 802.1ah Defines a MAC-in-MAC data encapsulation.
• Backbone Edge Bridge (BEB) A SPB switch positioned at the edge of the PBB network that learns and
encapsulates (adds an 802.1ah backbone header to) customer frames for transport across the backbone
network. The BEB interconnects the customer network space with PBB network space.
• Backbone Core Bridge (BCB) A SPB node that resides inside the PBB network core. The BCB does not have
to learn any of the customer MAC addresses. It mainly serves as a transit bridge for the PBB network.
• SPB-M Service An OmniSwitch Service Manager service configured on the BEBs. Each service maps to a
service instance identifier (I-SID) which is bound to a backbone VLAN.
• Backbone VLAN (BVLAN) A VLAN that serves as a transport VLAN for the SPB-M service instances and to
connect SPB bridges together through SPT sets. Unlike standard VLANs, BVLANs do not learn source MAC
addresses or flood unknown destination or multicast frames. Instead, BVLANs only forward on the basis of
the forwarding database (FDB) as populated by the ISIS-SPB protocol
• i-SID SPB Service ID
22
Network Virtualization Shortest Path Bridging (802.1aq) – Control Plane
Control Plane based in ISIS
New ISIS TLVs – Domain ISIS-SPB
New instance or within IP/ISIS (Multi Topology)
Convergence < 100msec
All links in use / Path Balancing (ECTs && BVIDs)
BUM traffic optimization
Symatric Paths - Path A -> B equals B -> A
Deterministic and symmetric paths
Automatic services discovery
No loop posibility
MAC explosion isolation
CMAC space
:1 :2 :3
:4 :5
:6 :7
BMAC space UNI part of
ISID:8743
UNI part of ISID:8743
UNI part of ISID:8743
UNI part of ISID:8743
23
Network Virtualization Shortest Path Bridging (802.1aq) – Service Plane
Data Plane based in L2oL2 802.1ah (mac-in-mac)
tunnels
Services security and isolation
All Ethernet frames transport:
Native (untag)
802.1Q/802.1p
802.1ad Q-in-Q
Forwarding is Consistent with 802.1Q
802.1D
Payload
Ethertype
Src Addr
Dst Addr
PB 802.1ad-2005
Payload
Ethertype
C-VID Ethertype
S-VID
Ethertype
C-SA
C-DA
802.1Q-1998
Payload
Ethertype
VID Ethertype
SA
DA
PBB 802.1ah-2008
Payload
I-tag
B-ta
g
B-M
AC
S-ta
g
C-ta
g
Ethertype
C-VID Ethertype
S-VID Ethertype
C-SA
C-DA
I-SID Ethertype
B-VID Ethertype
B-SA
B-DA
24
Network Virtualization Shortest Path Bridging (802.1aq) – Service Plane
25
Network Virtualization Shortest Path Bridging (802.1aq)
Discovery (unicast FDB)
•Enable IS-IS on each system
•All the SPBM nodes discover the network topology
•Build SPT from each system to the rest of the nodes
Service information distribution
•Create the services (ISID’s)
•IS-IS distributes the information to all the BEB/BCB nodes
•All the SPBM nodes (edge and core) are aware of all the services and end-points
Update FDB’s (multicast FDB)
•A node determines if it is on the shortest path between end-points for an ISID
•If so it updates its FDB for multicast
•When all the nodes on the SP complete the calculations the service is connected
26
Network Virtualization Shortest Path Bridging (802.1aq) – Load Sharing
1
2
3
SPBM defines 16 ECT-ALGORITHMs (16 possible shortest
paths) with the notation:
ECT-ALGORITHM = 00-80-C2-01 .. 00-80-C2-10
Where:
ECT-MASK(1) = 0x00 default, will pick the lowest BridgeID
ECT-MASK(2) = 0xFF will invert, pick the largest BridgeID
…
ECT-MASK(16)=0xEE
00-80-C2-XX
ECT-MASK 802.1 OUI
27
SPB-M CONTROL PLANE EXAMPLE TIE-BREAKING NODE-1, ISID-100
ISID B-VID MASK
1, 255 1 0x00
3, 253 3 0x11
5, 251 5 0x22
… …
6, 250 6 0xDD
4, 252 4 0xEE
2, 254 2 0xFF
ECT-ALGORITHM
00-80-C2-01
ECT-ALGORITHM
00-80-C2-10
ECT-1 - {00:02, 00:03}
ECT-2 - {00:02, 00:04}
ECT-3 - {00:03, 00:05}
ECT-4 - {00:04, 00:05}
Sorted list of BridgeID’s
computed as ECTs
ECT-1’= XOR’ed ECT-1 - {00:02, 00:03}
ECT-2’= XOR’ed ECT-2 - {00:02, 00:04}
ECT-3’= XOR’ed ECT-3 - {00:03, 00:05}
ECT-4’= XOR’ed ECT-4 - {00:04, 00:05}
Byte-by-byte XOR
ECT-MASK.1=0x00
ECT-1’ < ECT-2’ < ECT-3’ < ECT-4’
A failure in link 1-10 would remove ECT-1 and ECT-2 from the list and ECT-3’ would win
Winner is the lowest path-ID which will be used for unicast and multicast
ECT-1 between 1-6 BVID=1 ECT-2 between 1-6 BVID=2 ECT-3 between 1-6 BVID=3 ECT-4 between 1-6 BVID=4
4 5
2
6 1
3
28
ALE Unified Access
Automatic Attachment IoT containment
29
Access guardian 2.0
802.1x, Guest, IoT, Phones, Silent devices
• Profiles Driven for Employees, Guest, Contractors and IoT.
• Bandwidth, Access Control Lists (ACLs), Quality of Service (QoS) per role.
• Silent devices also secured.
• Logging, alarms, accounting info.
• Support for Posture: NAC (Network Access Control).
• Support for Web Redirection for Guest Authentication
or Posture check.
• Remediation Support (Web, VLAN…).
• CoA (Change of Authorization). Action to make the PC
or end user to reclaim the correct IP Address.
Printer /
Camera
Employee
Personal
Device
Guest IP Phone
Employee
IT Device
IEEE 802.1x authentication (Radius server compliancy) and Classification
30
User&Devices Network Profiles Automatic Attachment
Seamless access security on wired and wireless
Guest
VLAN 10
0,2 Mbps
Low Priority
Security
VLAN 20
1 Mbps
Only Video&Locks
Traffic
Soldier
VLAN 30
1 Mbps
High Priority
Network provisioning
Security profile
Quality of service
requirement Priority
Users devices
User Network Profile (UNP)
31
ALE IFAB IoT containment
32
Intelligent Fabric Simplifying the design, deployment and operation
Self configuring
Self Attachment
Simplified moves,
adds and changes
Self Healing
Faster deployment, easier support, higher resilience, lower down time
6 8 6 0
6 9 0 0
6 9 0 0
6 9 0 0
SERVER
LAG
SERVERSERVER
LAG 6 9 0 0
LAG 6 8 6 0
LAG
33
IFAB for a fully automated DC fabric Converged, high-performance and SPB Based
MESH Spine & Leaf Network
34
ALE Smart Analytics IoT containment
35
Smart analytics Network, users, devices and applications visibility
App Visibility Dashboard Top N Reports Network
Policies Predictive Analysis
Outlook.com
YouTube
SIP Voice
Gmail
NetBIOS
Skype
SalesForce.com
Need graphicHistorical Predictive
Outlook.com
YouTube
SIP Voice
Gmail
NetBIOS
Skype
SalesForce.com
Need graphicHistorical Predictive
Visibility and information analysis helps to protect your corporation and make better decisions
Understand your
environment and
get alerts from a
management
system with AI
technology
36
ALE Final Remark
37
SPB standard
Scalable
Availability
Virtualization (Multitenant)
UA with Smart Analytics
Auto Containment
Authentication
Rogue traffic prevention
Intelligent Fabric
Auto Configuration
Auto Scale
Self healing
Automated on-boarding and secure management of IoT
devices
Enabled by one network with simple operations, high reliability and tight security
• Accessible only by compliant devices
• Contains only the traffic from the individuals and devices desired
• Provides the quality necessary to run IoT systems successfully
• Consistent experience everywhere with any device (mobility)
A secure, simple, virtualized network
A unique
proposition
to manage
IoT and
mobility!
38
Pay Per Use
Software
Subscription
Life Cycle
Management
Managed
Service
Networks at the core of your defense strategy
IoT enabled networks
Network as a Service (NaaS)
Flexible models
Alcatel-Lucent Enterprise
Where National Defense military and civilian personnel connect
Secured, resilient and automated networks
39
40
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
facebook.com/ALUEnterprise
youtube.com/user/enterpriseALU
enterprise.alcatel-lucent.com Follow us on:
