plnog 13: jacek wosz: user defined network
DESCRIPTION
Jacek Wosz – Works as an Expert in the Department of Network Systems at Wasko SA, where he is mainly involved in projects for telecom operators and content providers. Since 2011, JNCIA certificate holder. Topic of Presentation: User Defined Network Language: Polish Abstract: TBDTRANSCRIPT
USER DEFINED NETWORK
Jacek Wosz JNCIE #877
•Wykorzystanie SDN u operatora telekomunikacyjnego
•Wymagania do świadczenia usług w chmurze z wykorzystaniem SDN
•User Defined Network jako kolejny krok?
•User Self Care Portal
•Architektura blokowa
•Co właściwie dzieje się w sieci
Agenda
•Zwiększenie marżowości świadczonych usług
•Możliwość świadczenia zaawansowanych serwisów dla klientów biznesowych (Managed
Security)
•Możliwość oferowania coraz to nowych usług w bardzo krótkim czasie
•Możliwość łatwej skalowalności usług
•Wyróżnik względem konkurencji
Współczesne potrzeby operatorów telekomunikacyjnych
SDN Controller
Configuration Analytics
Control
Server (Compute)
VM VM VM
Server (Compute)
VM VM VMIP fabric(underlay network)
Juniper Qfabric/QFX/EX
or 3rd party underlay switches
Juniper MX
or 3rd party gateway routers
Tenant VMs (NVF ie. Firefly Perimeter)
Contrail Controller
REST
XMPP
Orchestrator
XMPP BGP + Netconf
Contrail vRouter (L2 & L3)
on KVM, Xen and ESXi/HyperV
2014
Cloud Systems Components
• Network Address Translation (Firefly)
• Stateful Firewall (Firefly)
• Unified Threat Management (Firefly)
• Intrusion Detection / Prevention (Firefly)
• vCPE (Firefly)
• Caching (Junos Content Encore)
• SSL VPN Gateway (vSA)
• DDoS (JDDS)
• Web Intrusion Deception (Junos WebApp Secure)
NAT Intrusion
Deception
CachingDDoS vCPESSL
GW
Video
Conf.
…
DPI
Analytics
WAN
Opt.
CDN Virtual
SBC
Juniper Services 3rd Party Services
FW
IDP
• Anything !!
User Defined Networks
Centralized Cloud
Data Centers
GW Router
MOBILE
Physical Network
BUSINESS
CUSTOMER
VMs / NFVVMs / NFV
NFV NFV
Edge Clouds
MX 3D
Portal
Scripts
SyslogServer
Web Portal
REST/JSON API
Block Architecture – creating a Service Instance
OpenStackControler
ContrailController
JunosSpace/ Security Director
Creating Service Instance
Scripts
SyslogServer
Web Portal
REST/JSON API
OpenStackControler
ContrailController
JunosSpace/ Security Director
Adding Firefly to Space
Bind predefined policy
(WF/Appsec/AV)
Block Architecture- adding Firefly Perimeter to Security Director
Scripts
SyslogServer
Web Portal
REST/JSON API
OpenStackControler
ContrailController
JunosSpace/ Security Director
Request info to draw statistics
Block Architecture – Logging System
GW Router
MOBILE
Physical Network
BUSINESS
VMs / NFVVMs / NFV
NFV NFV
Edge Clouds
MX 3D
eBGP
Centralized Cloud
Data Centers
Centralized Cloud
Data Centers
GW Router
MOBILE
Physical Network
BUSINESS
VMs / NFVVMs / NFV
NFV NFV
Edge Clouds
MX 3D
eBGP
Reports
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
CONTRAIL ELEMENTS
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
BGP (XMPP)
BGP
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
1.CREATE VN NET#1 , ROUTE TARGET ASN:10000
VRF #1 RT ASN:10000
2.CREATE VM#1 in NET#1
3. VM #1 HOST ROUTE RT ASN:10000
4. ADVERTISE VM#1 HOST ROUTE with RT ASN:10000,NH > COMPUTE NODE
5. DYNAMIC GRE
6. INSTALL VM#1 HOST ROUTE in VRF#1
ROUTE ADVERTISE BETWEEN MPLS NETWORK AND CONTRAIL
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAIL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
1.CREATE vSRX SERVICE INSTANCEIFL #1 WAN NETWORKIFL #2 LAN NETWORKIFL #3 MGMT NETWORK
VRF WAN RT ASN:66600666
2. VM vSRX HOST ROUTE RT ASN:66600666
3. ADVERTISE vSRX HOST ROUTES
6. INSTALL vSRX HOST ROUTES in VRFs
VRF CUSTOMER #1 RT ASN:10001VRF CARRIER MGMT RT ASN:950001
2. VM vSRX HOSTROUTE RT ASN:10001
2. VM vSRX HOSTROUTE RT ASN:950001
CREATING vSRX SERVICE INSTANCE
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
VRF WAN RT ASN:66600666
WAN. 0/0 -> WAN GW (CONTRAIL)
VRF CUSTOMER #1 RT ASN:10001VRF CARRIER MGMT RT ASN:950001
LAN BGP SESSION TERMINATED on MX
CONNECTING vSRX SERVICE INSTANCE TO INFRASTRUCTURE
MGMT 10.10.100/24 -> MGMT GW (CONTRAIL)
ADVERTISE -> CUSTOMER ROUTE FROM VRF
ADVERTISE -> 0/0 to MX VRF (BY CONTRAIL NOT vSRX)
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
VRF WAN RT ASN:66600666
VRF CUSTOMER #1 RT ASN:10001VRF CARRIER MGMT RT ASN:950001
PRECONFIGURING vSRX SERVICE INSTANCE TO NEW ROLE
DISOVER NEW vSRX
Security Director
PRECONFIGURE PROFILE ROLE(NGFW/WEB-FILTERING ETC)
MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACKCONTROLER
CONTRAL/OPENSTACKCOMPUTE NODE
VRF WAN RT ASN:66600666
VRF CUSTOMER #1 RT ASN:10001VRF CARRIER MGMT RT ASN:950001
FLOW FROM CUSTOMER IN VRF
FIREWALL/APPLICATION VISIBILITY/WEB FILTERING/AV
Q & A