SDN WAN Changes

Everything For The Better

1
PacketPushers.net
 About Me
Host of Packet Pushers Podcast
Freelance Network Architect/Engineer
YOU CAN HIRE ME!
Blog - EtherealMind.com
NetworkComputing.com
(http://networkcomputing.com/blogs/author/Greg-Ferro)
gregferro.com - personal blog

2
Fundamental Changes

3
 Post-Scarcity Markets
Genesis Custom Product Commodity
Infrastructure is Greg Ferro 2014

commoditised
Bandwidth is Prototype
Custom
Built
Short Run
Manufacture
Mass
Manufacture

commoditised Greg Ferro 2014

cheap, plentiful,
Unique Components Repeatable Repeatable
available Complex Simplified Simpler Simple
Greg Ferro 2014

4
 Post -Scarcity Impacts

Network, Compute, Storage as low cost consumable

items (inkjet cartridges)
Purchasing process exceeds purchase price
Human infrastructure costs become high

5
Thoughts on New Networking

Connectivity is not a service or a privilege. Its

dumb networking.
Dumb networking must be automated
Visibility and Analytics are the new normal (not
monitoring)

6
 WAN Pain Points
COST
Service Provider Business
Highly profitable
Oversubscription is good profits
Service Guarantees are expensive to deliver and profitable to sell
Collapsing ecosystem (static revenue, competitive pressures, and
political change)
Technology doubles bandwidth every 2/3 yrs but costs dont
reduce
7
 QoS as a BUG
QoS is a way of conserving bandwidth
Complex to design and deploy
Hardware dependent
Marking issues
Costly to Operate
monitoring, SLA, compliance,
what is important

8
 WAN Tunnels with MPLS
MPLS is an Overlay Network
circuits are MPLS tunnels
Operating the overlay is expensive
Slow provisioning - MPLS is hard
Enterprise IT is generalist not specialist
MPLS works for carriers as specialist skill set

9
WAN Wants, Can and
Cants .

10
 What You Want
Carrier independence
Technology independence
Full or Partial Mesh
Zero Risk Path Change
Dynamic
Temporal
Bandwidth

11
 What You Can Have

Physical
Private WAN, Dark Fibre, IP Optical
DSL / Cable Broadband - low cost, fast, high con
LTE - fast deployment, high speed
Internet - buy enough capacity & quality is fine
Actually, you want all of these. From multiple providers

12
Bandwidth is Cheap
Waste It
Change It
If your WAN is
Source: Telegeography

expensive, you have a

business problem
Few corner cases
10 Mbps IP VPN Port Prices in Select Cities, Q1 2013-Q1 2014
13 Source: Telegeography
 Impact of Encryption
Network Functions Impact Options

IDS/IPS Almost no useful purpose Host based scanning ?

Proxy Servers No caching without private keys None yet

Packet Inspection Only IP Headers and Domain Name Less Functional QoS

IP & TCP Protocol Optimisation limits

WAN Acceleration No Payload or Application Compression
value
QoS Packet Inspection Reduced to Header Only QoS Less Useful

Application Monitoring Packet Capture & Analysis Not Useful

14
Building Network
Services

15
Services not Connectivity

The WAN of today is about connectivity

MPLS, VPLS, EVPN, ATM, E3/DS3 are all
connectivity technologies
Business wants a service

16
 Services not Connectivity

Connectivity is not a service anymore

Everyone assumes everything is connected
No one gets a lollipop for connecting branch
offices
What makes a WAN Service ?

17
 WAN as a Service
Service Features Service

Bandwidth Quantity, Immediate Availability Yes

Latency Non-impacting to performance Yes

Security / Integrity Data in Motion Security Yes

Cost Minimised Wise Use of Company Funds No

Availability High Reliability No

Internet Access Secure, Fast No

Fast Service Provision React to Business Need Yes-ish

18
Whats Wrong with
Routing ?

19
 Forwarding Paths
Forwarding Paths independent of Physical

Three Possible Paths

1
10Gbps 10Gbps 10Gbps 10Gbps
Router Router Router

Edge Router 1Gbps

2
Router Edge

1Gbps 1Gbps 1Gbps

Router Router
Greg Ferro 2014

3
20
 Best and Only Path
Why only ONE path ?

Unused Paths
Redundant & Unused Path

Router

Site Router Router Site

Greg Ferro 2014

Router

Best and Only Path

21
 Forwarding Paths
Which is the BEST path ?
App

Best Bandwidth, High Latency

1
10Gbps 10Gbps 10Gbps 10Gbps
Router Router Router

App Router 1Gbps

2
Overloaded Path Router App

1 Gbps 1 Gbps 1 Gbps

Router Router Greg Ferro 2014

3 Low Latency, Low Bandwidth

App
22
 Routing by Rumour
Path sharing is less than perfect
e.g. OSPF uses Multicast ..

Path Sharing Between Devices

10Gbps 10Gbps 10Gbps
Router Router

Site Router Router Site

Greg Ferro 2014

Router
1Gbps 10Gbps
Database Exchange
23
 Good . or Not Good

Dumb but Scalable Not good for

Proven
Enterprise
We live with the negatives
Good for the Internet Not good for
Good for Service Providers Cloud

24
What is Flow
Networking ?

25
 Three Things

Technology basics for building a virtual WAN

1. flow networking,
2. dynamic path networking
3. visibility and analytics

26
 The Nature of Flow - 1
Session - Server to Client

Server Client

Greg Ferro 2014

Session - Client to Server

Packet Flow Through the Network

TCP or UDP Session
27
Flow State in the Network
Flow States in the Network
Client

Server

Server Client

TCP Sessions a Flows Server

Client

Server

Client
Server

Host TCP Sessions as Flow States

28
 The Nature of Flow - 2
Flow - Server to Client

Server Router Router Client

Greg Ferro 2014

Flow - Client to Server

Flow States In Network

Flow State in Device

29
 Define Flow
MAC Source MAC IP Source Destination
Priority Ethertype IP Destination Protocol Source Port Counters Instructions
Address Destination Address Port

Ethernet
Flow Rule MAC IP Source TCP/ UDP/ TCP Source Destination
Frame 0001.00dc. IP Destination Counters Instructions
Priority Destination Address ICMP Port Port
Encapsulation

How does this look ?

30
 Flow Tables

Flow Table
Flow Record
Input Output
Flow Record

Input Flow Record Output

SRC/DST IP, TCP Port

Input Output
VLAN or MPLS tag Greg Ferro 2014

Device Flow Tables

31
 Flow Actions

Flow Table & Action

Flow Record VLAN Tag VLAN Trunk
Input Output
Flow Record VXLAN
Overlay Edge
Input Flow Record MPLS Output

SRC/DST IP, TCP Port - MPLS Edge

Input Output
VLAN or MPLS tag - Greg Ferro 2014

Device Flow Actions

32
 Impact of Flow Networking

Client Server
applications dont see Client sends SYN Packet
SYN
Server ACKs to confirm inbound

packets or devices Client receives ACK to complete

SYN/ACK
session open and sends SYN to
establish outbound connection
inbound session complete

bi-directional flows Client receives SYN and

establishes outbound session &
sends ACK to confirm
ACK Server receives ACK. Now has
two sessions: inbound &
outbound
accurately represents Client sends "chunk" of data Data

Server confirms receving

client-server ACK
"chunk" of data

interaction

33
 Flow State Can Have An API

Flows are well suited

to remote
configuration
Simplistic,
Useful Abstraction for
Packets

34
 What Can Flows Be ?
Flow Types Technology

Native IP Data OpenFlow, IP Routing

VXLAN, VXLAN+, Geneve, NVGRE,

Encapsulated
GRE, MPLSoGRE
Encapsulated and
IPsec, SSL
Encrypted
Tagged MPLS
35
 Flow Networking

Focus on the end-to-end interaction

Control on a Flow by Flow basis
Visibility Per Flow
Monitoring per flow (aka NetFlow, sFlow)
Drives analytics .

36
 Flow Networking
Today SDN WAN / Tomorrow

Packet by Packet Forwarding Flow Forwarding

Hop by Hop Routing Flow Paths

Device by Device Configuration Manage/Configure Flow Paths

Element Managers Flow Visibility & Analytics

37
Controller Networking

38
 Flow Management

Can we manage flow paths in the same way that

we manage packet routing
Yes, we can
But we can also do much more

39
 Controller Model
Cloud Orchestrator

SDN Controllers

Greg Ferro 2014

Network Network Network Network Network Network

The Basic Controller Model

40
 Distributed Controller Models
SDN WAN Orchestrator

SDN Controller

Greg Ferro 2014

Controller Controller Controller Controller Controller Controller

Network Network Network Network Network Network

Distributed Controller Models

41
 Power of APIs
Path Monitoring Analytics
Application Application Application

API Network
Controller

Greg Ferro 2014

Router Router Router Router Router Router

APIs in Networking
42
Controller vs Self-Configuring
Todays networks are self configuring
Routing protocols configure devices
autonomously, uncontrolled way
Controller acts to focus configuration so that
entire network view can be taken
Controller does not prevent self-configuration ,
there are SDN types that use BGP or IS-IS
43
 Controller / Flow Forwarding
Network Application Network Application

Network Controller
Greg Ferro 2014

Input Flow Record Output Input Flow Record Output Input Flow Record Output

Flow Record Flow Record Flow Record

Input Flow Record Output Input Flow Record Output Input Flow Record Output

SRC/DST IP, TCP Port, SRC/DST IP, TCP Port, SRC/DST IP, TCP Port,

Input VLAN or MPLS tag Output Input VLAN or MPLS tag Output Input VLAN or MPLS tag Output

Flow Table Flow Table Flow Table

44
WAN Overlays

45
 Dierence
Naming Convention
Tunnels are statically configured encapsulation
IPSec, GRE, IPinIP, SSL VPN
Overlays are dynamically configured
encapsulation
VXLAN, NVGRE, IPSec, SSL VPN

46
 Overlay and Path Independence
2
2 Router
Router
1 3
Router 2 Router
Router
Greg Ferro 2014

Encapsulated Path

47
 Changing this is HARD

Router
Router Carrier

Router Carrier
Router

Router
Carrier Carrier
Greg Ferro 2014

48
 Flow Routers at the Edge

Carrier Router
Router Carrier

Flow Router Router Carrier

Router Flow Router

Router
Carrier Carrier
Greg Ferro 2014

Encapsulated Path

So dont change it, just overlay

not enough time to explain technology

49
 Forwarding in Overlay Networks
Network Application Network Application

Network Controller
Greg Ferro 2014
IP Routing

Input Flow Record Output Input FIB Output Input Flow Record Output

Flow Record FIB Flow Record

Input Flow Record Output Input FIB Output Input Flow Record Output

SRC/DST IP, TCP Port, FIB SRC/DST IP, TCP Port,

Input VLAN or MPLS tag Output Input FIB Output Input VLAN or MPLS tag Output

Flow Table with Tunnel/Encapsulation Action FIB Table Flow Table with Tunnel/Encapsulation Action

1 2 3 4 5
50
 Overlay Networks

Build a many virtual networks from many

physical networks
LTE, DSL, IP MPLS, TDM (E3, ATM)
Remove provider dependency

51
WAN Overlay Technologies
Encapsulation Protocols have different features
LISP - suited to self configuring/static networks
IPsec / DMVPN etc -
SSL VPN
Configuration management
Must manage crypto keys, session data, etc
End points, devices,
Viptela Case Study
SSL for control plane
IPsec for forwarding plane
52
Path Management / Quality
Two choices
flow quality by inspection
edge device analyses flow quality
in band detection
run a protocol in the path
eg. BiDirectional Forwarding Detection detect latency,
packet loss etc

53
 The Impact of
Software Appliances

54
Bare x86 Performance

Source: Intel Xeon Processor E5-2600 v3 Product Family with the Intel
Communications Chipset 89xx Series for Telco and Cloud Service Providers DATS005
from Intel IDF2014
55
56
Source: Intel Xeon Processor E5-2600 v3 Product Family with the Intel Communications Chipset 89xx Series for Telco and Cloud Service Providers
DATS005 from Intel IDF2014
57
 x86 Impact

Network vendors not required to make silicon

Open competitive markets in mid-range
Can focus on better software
That deliver more useful functions
Not limited by CPU, Memory or Storage

Source: Intel Xeon Processor E5-2600 v3 Product Family with the Intel Communications Chipset 89xx Series for Telco and Cloud Service Providers
DATS005 from Intel IDF2014
58
Cloud Managed WANs

59
 Branch Networking
Can we manage a branch network from a cloud
platform ?
Yes we can.
Netsocket, CloudGenix, Meraki
Also Aerohive, Aruba are compelling WiFI centric
options

60
 Internet as WAN

Internet is cheap, ubiquitous

short provisioning times
support for mobile users e.g. smartphones, home
working, tele working
 Technology
IP SEC and particularly DMVPN
used for site-to-site only
SSL VPN
best overall option
Surprisingly, no one wants to reinvent the wheel
(yet, there is still time)
 Business Value

Cloud WAN probably better than outsourcing/

managed service but same business outcomes
Better because
visibility and analytics
platform focus
 Cloud VPN Providers
Commercial
Pertino
Aryaka
CohesiveFT
Retail
LogMeIn
Dynamic and transparent VPN services
 Cloud VPN

Some are offering acceleration as part of service

but all other points still apply
built in analytics and monitoring
per session, per user
 The Impact of Network
Functions Virtualization

66
 What is NFV ?
NFV Platform

Dynamic Service Creation

x86 Server x86 Server x86 Server

configurable to a fine
Router IPS/IDS
grained level WAN Accel Firewall Proxy

Service = ? KVM Hypervisor

Physical Server
KVM Hypervisor
Physical Server
KVM Hypervisor
Physical Server

firewall, proxy, IDS, Virus Network Network

Scan, Content Filter, etc Managed Traffic Flow

This is called Virtual SDN Platform Cloud Orchestrator

Network Forwarding
Customer Portal

67
 Technical Highlights
NFV Platform

Orchestration > NFV > SDN

Able to provide services in the x86 Server x86 Server x86 Server

network Router IPS/IDS

Huge operational advantages WAN Accel Firewall Proxy

KVM Hypervisor KVM Hypervisor KVM Hypervisor
hardware upgrades/replacement Physical Server Physical Server Physical Server

software upgrades Network Network

asset management
Managed Traffic Flow
out of band management
flexible service creation SDN Platform Cloud Orchestrator

etc etc
Customer Portal

68
 Carrier NFV as Product
IPsec, SSLVPN are configured as end points not tunnels
x86 Server x86 Server x86 Server
Router Router

Branch WAN Accel IPS/IDS

Firewall Proxy
KVM Hypervisor KVM Hypervisor KVM Hypervisor
Physical Server Physical Server Physical Server

PoP
Cloud
SDN Platform
x86 Server x86 Server x86 Server Orchestrator
Router
WAN Accel IPS/IDS
Phone / Laptop Firewall Proxy

Mobile / Home
KVM Hypervisor
Physical Server
KVM Hypervisor
Physical Server
KVM Hypervisor
Physical Server
Customer
Portal
PoP
Data Centre
x86 Server x86 Server x86 Server
Router Router
WAN Accel IPS/IDS
Branch Firewall Proxy
KVM Hypervisor KVM Hypervisor KVM Hypervisor
Physical Server Physical Server Physical Server
Phone / Laptop

Mobile / Home PoP

69
 Enterprise WAN Edge
WAN Appliance based with routing, proxy/cache,
firewall, logging,
e.g Cisco Converged Branch architecture on IOS
My Guess: Replace with UCS E-series using
OpenStack/KVM for appliances
Competition from converged appliance makers

70
 Business Value of NFV/Service Chain

Customers Service Providers

free of hardware delivered from PoP
appliances Cloud in their network
managed services, OpEx new products to sell
heavy Avoid commoditisation
on-demand, low lead time revenue growth
low configurability, customer lock-in
limited choices
lower costs
71
Visibility & Analytics

72
 Whats New

Monitoring - its OK but its not good

SNMP is not a good API
Post scarcity technology has changed edge
devices
today, limited CPU, memory & storage

73
 Flow Monitoring
NetFlow has proved that flow monitoring is what
we need
Devices that perform flow networking are
inherently well suited to monitoring
(not per bit or per packet)
Devices are producing statistics from the flow
database
74
 Edge Devices
Processing Power in Hardware Device
Switches with Intel x86 Xeon CPU, 128 Gigabytes
memory
Switch Silicon - Broadcom T2, enterprise class
Operating System = Linux
Run Applications on Edge Device
Applications = Collectors, Rporters

75
 Edge Devices - 2
Software Edge Devices
x86 Performance is already > 40 Gbps
VMs most likely
CPU / Memory is now cheap (post scarcity)
Intel DPDK demonstrated at 160 Gbps or 4 x 40GbE
interfaces with 100 byte packets Source: Intel IDF 2014

76
 Examples

Pluribus Networks - Application Platform

SaiSei - Analytics
Vectra Networks - Security

77
SDN WAN Vendors

78
 Companies to Watch
Viptela Cisco
Talari Networks WAN Automation Engine
Vello Systems ACI
VeloCloud XNC/OpenDaylight
iWAN (Akamai)
Pertino
CloudGenie
Glue Networks

79
Wrap Up

80
 Takeaways
Overlay Networking in the Enterprise WAN will
enable existing networks to move beyond
connectivity
Edge Routers will use flow networking to virtualise
the WAN
Controller/App technology can manage flows to
deliver services from connectivity
derived WAN offers new models of ownership
81
 Takeaways
Network Edge start moving to commodity
appliances.
Some will use x86 servers and Ethernet interfaces
NFV and Software Appliances will dominate the
WAN product space
Technologies based on protocol interception and
analysis face an uncertain future
82
 Please Rate Me

If its good they might invite me back

Ill know the effort is worthwhile.
If its not good, then I will be prevented from
inflicting this on anyone else.

83
 Question Time
Host of Packet Pushers Podcast
Freelance Network Architect/Engineer
Blog - EtherealMind.com
NetworkComputing.com
(http://networkcomputing.com/blogs/author/Greg-Ferro)

Slides: speakerdeck.com/etherealmind
84