Weiterentwicklung von OpenStack Netzen�25G/50G/100G, FW-Integration, umfassende Einbindung
Alexei Agueev, Systems Engineer
ETHERNET MIGRATION 10G/40G à 25G/50G/100G
Interface Parallelism
§ Parallelism increases the effective speed of an interface§ Each interface uses multiple lanes/lasers
• Bit Stripping ensures maximum efficiency
• Increased failure domain
§ Multiplicative CapEX Cost
10G 40G
25G & 50G Ethernet Founding Member
Standardizing on 25GbE
§ Faster clock rate increases the effective speed of an �interface
§ Each interface uses a single lane/lasers
10G 25G 50G
Cloud Servers & Storage Driving 25GbE and 50GbE Adoption
§ Maximize switch and server throughput and efficiency
§ Minimize capex – fewer switch ports and cables
§ Minimize opex – lower power and cooling
§ Minimize cost per bit by utilizing highest speed available
PCIe-Gen12Gb/s
4x = 10GbE
PCIe-Gen24Gb/s
8x = 40GbE
PCIe-Gen38Gb/s
8x = 50GbE
Evolution of PCI Express Technology
PCIe Gen3 drives 25G and 50G
Example of a 2x 25G Ethernet Adapter
Evolution of the Network Leaf
64 lanes1.28Tbps
1/10GbE
2011- 7050 Series
128 lanes2.56Tbps
10/40GbE
2013 - 7050X Series
128 lanes6.4Tbps
25/40/100GbE
2015 - 7060X Series
OPENSTACK INTEGRATION MODELS
Unmodified Linux .
Arista hardware abstraction layer
CLI eAPI OMI XMPP
Arista EOS
Notify
Mgt BGP
MLAG
Counters
Kernel
Logs etc…
OVSDB protobuf OpenConfig SDK
For Analytics and Telemetry
For YANG model configs
container tracer More Application Visibility
Add containers in EOS
More languages (Go SDK, goapi)
Custom !ASIC !
New protocols scaling: 1M+ Routes, 100K+ tunnels, Millisecond convergence
Hybrid Cloud integration
SysDBstates
Driver
STP IGMP
PIM
Next Gen EOS
NetDB§ Network state architecture
• Real-time state streaming
§ Working with Network States• Coalesce - network-wide states into one DB
• State Filtering
• Queries
• Exports
§ Use Cases• Analytics - anomalies, trends, security, ...
• Correlation - troubleshoot, understand behaviours
• Telemetry - real-time counters, queues, logs, events
§ Same publish-subscribe architecture as SysDB
§ Network Central State Store• open collection and consumption
§ State Replication
Complete network-wide real-time state streaming
Stream APIs Stream APIs Stream APIs Stream APIs Stream APIs
Custom Back-end OR
gRPC ( protobuf ), HTTP, Custom (SDK, scripts), OpenConfig YANG models, RESTCONF, NETCONF
Open APIs
• CloudVision Apps• Partner Apps• Custom Apps
Arista OpenStack Integration – VLAN-based/ML2
§ CVX as a single point of contact
§ CVX takes care of MLAG
§ Dynamic VLAN creation (LLDP-based)
…
MLAG Spine
OVS
Rack N-1
OVS
Rack N-2
OVS
Rack N
OVS Arista
Neutron
ML2
Create VLAN
OVS
Rack 1
Dynamic creation of VLAN on OS compute
node link and uplink based
on CVX LLDP table
L2 Fabric
CVX
Arista OpenStack Integration – VXLAN-based
§ Transparent VLAN or Hierarchical Port Binding§ Scalable IP fabric with a Layer 3 ECMP design
§ Hardware VXLAN VTEP configured on every leaf switch
§ Layer 2 connectivity between racks via VXLAN across the L3 fabric
Layer 3 ECMP fabric for increased
underlay scale …OVS
Rack N-1
OVS
Rack N-2
OVS
Rack N
OVS
Rack 1
L3 ECMP IP Fabric
VTEP VTEP VTEP VTEP
OVS Arista
Neutron
ML2 CVX
Create VLANVNI àVLAN
VNI VNI
Layer 2
Arista OpenStack Integration – L2 Gateway
§ Syncs the Neutron DB with the CVX DB via OVSDB
§ Integration with Ironic. Support for Security Groups§ Every ToR can be a HW VTEP and pass-through for VXLAN at the same time
§ MLAG redundancy supported seemlessly
Layer 3 ECMP fabric for increased
underlay scale …OVS
Rack N-1
OVS
Rack N-2 Rack N
OVS
Rack 1
VTEP VTEP VTEP
L2 Gw Svc Plugin
Neutron
CVX
VNI
L2 Gw Agent
Bare Metal
VNI
VNI
OVSDB Layer 2Create Port,
VLAN à VNI Mapping L3 ECMP IP Fabric
VTEP SecurityGroups
Scaling OpenStack
§ Multiple OpenStack clusters supported per CVX instance
§ Can be combined with other network virtualization• NSX
• Etc
§ VXLAN breaks out of the 4K VLAN limit• 16M VNIs mapped to locally significant VLANs
Multi-Tenant OpenStack Deployment
OVSOVS
Rack 1- Region1
VTEP
OVS
Rack 2 – Region1
OVS
Rack N-1 – Region2 Rack N – Region2
VNI YRegion 1
VNI XRegion 2
VTEP VTEP VTEP
OVS Arista
Neutron (Region1)
ML2
OVS Arista
Neutron (Region2)
ML2
Routing with OpenStack
§ L2 up until now, how do you route?
§ Can be performed by a Network Node§ Allows connectivity between tenants and external networks
• NAT Support• VRF Support
§ Limited by software
§ Alterative is perform this at the switch...with limitations!
OpenStack Integration – L3 Plugin§ Arista L3 plugin provisions SVIs over eAPI in response to tenant’s creating logical routers§ Routing happens at dedicated network nodes
• Pair of MLAGed physical devices• Active-Active HA via MLAG• Performs routing for the OpenStack cluster
- Can be scaled out horizontally by tenant as needed
§ TORs can also be used as the routing nodes
…
MLAG Spine
OVS
Rack N-1
OVS
Rack N-2
OVS
Rack N
OVS Arista
Neutron
ML2
L2 Fabric
Infra / GW Rack
Arista L3 node
AristaL3 Plugin
MACRO-SEGMENTATION SECURITY (MSS)
Current Approaches for DC Security
§ Security at the perimeter – north-south flows only
§ Scaling limitations – e.g. active/standby HA pairing
§ Security policy dependent on network topology – and vice versa
• Network & security administration are co-dependent
§ Limited or no security of east-west flows, especially for physical devices
§ Little or no coordination between vSwitch security and physical firewalling
Active Active/Standby
vSwitch vSwitch
Current approaches ill-suited to the needs of the Software Driven Cloud Data Center
Definitions
Micro-Segmentation§ Inserting services in the path of inter-VM traffic (e.g. intra-tenant)§ Policies defined by VMware NSX for each workload§ Enforced in the Distributed vSwitch based application, tag, etc.,
Macro-SegmentationTM
§ Inserting services between workgroups (inter-tenant) in the physical network by defining inter-workgroup policies
Arista Macro-Segmentation Security (MSSTM)§ An extension in EOS that utilizes CloudVision to automate security service
insertion in the network§ Integration with leading next-generation firewalls
§ VMware NSX distributed firewalling� addresses security policy and tenant� isolation inside the hypervisors� (Implemented by the VMware distributed virtual switch)
§ Provides very fine-grained security policies �at VM-level in conjunction with virtual instances�of next generation firewalls for advanced security
§ Utilizes the full context of the hypervisor with visibility into end-user, application, and tenant related information
§ Challenges around physical devices
§ Micro-segmentation is complementary to Macro-Segmentation�(MSS is implemented network-wide via CloudVision and the Arista TOR switches)
Micro-Segmentation
Arista Macro-Segmentation Services
§ No new tagging or encapsulation
§ One point of control – e.g. the security policy manager• For both physical and virtual
firewalls
§ Directly maps to security model – zones etc.
§ No server reconfiguration
§ No per application overheadVirtual Virtual
Physical FirewallsPhysical Servers �
& Storage
Transparent Insertion of Firewall/ Service
§ Enables Logical Topology to Enable Services in the Network § Instantiates logical network topology to enforce service policies§ No constraints on physical topology - or device placement § Policy comes from the service devices themselves
Physical Topology Logical Topology
Arista Macro-Segmentation Services
Arista Macro-Segmentation ServicesSecurity Admin owns the
security policies
No Network Admin involvement required
Network Admin owns the network configuration.
PAN service is enabled within CloudVision, which:
• Learns security policies and associated end devices
• Logically instantiates them in the network
Arista Macro-Segmentation Services
Dynamic• Insert security between any data center�
physical and virtual workload
• Automatic and seamless service insertion
• Follows host and application throughout�the network
Open• No proprietary frame formats
• Works in multi-vendor network architecture
• Open APIs
Ecosystem• Works with leading Security, Cloud Orchestration and Overlay Controllers
Thank You…
Spring 2016