Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle’s Next-Generation SDN Platform Andrew Thomas Architect Corporate Architecture

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Oracle’s Next-Generation SDN Platform

Andrew ThomasArchitectCorporate ArchitectureOct 1,2014


Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Virtual Networking• Past• Present• Future


Past• “Once upon a time (’70’s), not so far away (Palo Alto)”• Ethernet invented; everything on the same cable


Past• VLAN’s (802.1q) invented in late 90’s• To support “departments”• “physical” migration of PC’s between floors and offices


Past• VLAN’s present– Technical problems– Political problems


Past

• Must configure switches• Limited number of VLAN’s 4094• MAC address table limits• Broadcast/Unknown/Multicast (BUM) flooding• Problems most significant for large enterprises, hosting, etc

VLAN Technical Problems


Past

• Switches owned by “networking”• Servers owned/managed by another IT group• Switch re-configuration changes through tickets/bug reports– “weeks to fix”

VLAN political problems


Virtualization• Puts a switch in every server• Now need to trunk VLAN’s to servers• VLAN’s run all over the place–Misconfiguration: migrating a VM disconnects the VM from network


“all problems in computer science can be solved with another level of indirection”

– David Wheeler, University of Cambridge


Present• Build virtual layer 2 networks using tunneling encapsulation– Tunnels form an “overlay”– Physical network commonly referred to as “underlay”


Present

• Several tunneling protocols– GRE– NVGRE– STT (Nicira)– VXLAN– Geneve

• All have common goal of decoupling virtual networks from physical networks• All are “L2 in L3” protocols (ie Ethernet in IP)

Tunnels


Present

• VXLAN carries 24 bit VNI (VXLAN segment ID)– 16M virtual networks

• Outer UDP source port carries “entropy” for ECMP

VXLAN

Outer IP UDP VXLAN Guest frame


Present

• “Ethernet networks work, but don’t scale”–Work in the sense the carry L2 frames– But are limited in total number of endpoints (MAC, BUM traffic)

• “IP networks scale, but don’t work”– Internet has huge scale by using IP– IP “doesn’t work” because it doesn’t offer L2 service (IP is L3)

• By using L2 in L3 we build a network which works and scales

Scaling the network


Present

• L3 encapsulation allows L2 packets to pass through routers• L2 virtual networks can span the data center–Much simpler “bin packing” of VM’s • Better operational efficiency

Scaling the Network


Present

• Lots of proposals (and proprietary protocols) for building large L2 networks– Pretty much dead in the water

• Excitement about Fabrics has dissipated• Why?– IP+ECMP seems good enough– Available today–Widely supported

Scaling the network


Present

• Leaf spine / Clos; all routed– “non blocking”, multiple paths (ECMP)

Scaling Architecture


Present

• No forklift upgrade of hardware (will run on what you’ve got)– However, SDN won’t fix performance issues in your physical network– Look at leaf-spine/CLOS when upgrading

• Only change is 1600b MTU to carry encapsulation header• Performance improvement by piecemeal NIC upgrade– Adapter support for VXLAN

• Encapsulation allows us to build isolated layer 2 networks

VXLAN


SDN

• Networks (isolated L2 networks)• Subnets• Ports• Routers• Network services• Gateways• Programmable via RESTful API’s

Elements of Software Defined Networking


SDN

• Creating a new network amounts to allocating a new VNI for VXLAN– No tickets; completely automated– Tunnels run over single VLAN which is provisioned once

Networks


SDN

• Provide addressing information for Ports– Created with a CIDR block– A pool of address available for automated allocation– Subnet configuration, dns_servers, ntp_servers, dhcp_servers

• Automatic per network DHCP/DNS server/IPAM services• Address information also feeds into virtual routing

Subnets


SDN

• Model Virtual Machine interfaces• Persistently associated with the VM interface– Carry address information• MAC address; IP address (from subnet allocation pool)• Firewall state

– Telemetry (metering, chargeback information)

• Provide a point of policy enforcement– Firewalling–QoS

Ports


SDN

• Each group provides – A collection of stateful firewalling rules …– That allow or deny traffic

• Ports can be dynamically associated with multiple Security Groups• Firewalling at each Virtual Machine network interface– “distributed firewalling”– Greatly simplifies reasoning about rules– Don’t need to hairpin traffic through physical box

Security Groups


SDNPerimeter Firewalling being replaced


SDN

• Join multiple L2 networks• Function like a hardware router– Hardware typically limited to a small number of VRF “virtual router functions”– Unlimited number of software instances

• Provide a point for “service insertion”– [of traffic flowing through the “default gateway”]

Routers


SDN

• Plug “ports” into routers• Ports have addressing information via subnet• Subnet provides router configuration

Routers


“the value of a network is proportional to the square of the number of connected users of the system”

– Robert Metcalfe


SDN

• L2 networks are isolated• Routers build bigger islands• Ways off the Island– Floating IP– L2 Gateway– L3 Gateway– L2 VPN– L3 VPN

Getting off the Island


SDN

• L2 Gateway– Provides a VXLAN to “legacy” VLAN connection• Adds/removes VXLAN encapsulation• Joins virtual network to physical networks

– Connectivity to• Storage, dedicated hardware (load balancer…)

– Can be implemented in software– Switch ASIC vendors can do this “at line speed” (~1TB/s)

• L3 Gateway

Getting off the Island - Enterprise


SDN

• Public Cloud– Tenants given “private addresses”– Provider has Internet addresses

• Floating IP’s– Provides an IP address in service provider address space– Traffic flows through a virtual router– NAT from Virtual Machine IP address to Service IP address

Getting off the Island – floating IP (service)


SDN

• SDN “faithfully reproduces” many of the “old networking” concepts– L2 networks– Routers– Subnets (DHCP/DNS/IPAM)

• SDN “new ideas”– Ports migrate network state with Virtual Machine– Security Groups• Perimeter firewalling replaced by per-interface firewalling• Fine grain control

Summary


Future

• Customers care about applications not networks• Applications run in virtual machines• We deliver applications as templates

Applications


Future

• Virtual machines have network interfaces• SDN models these interfaces as ports• Ports have security groups attached to them– This is connectivity information

• We publish the connectivity information within the template• When deploying a group of application– we know what can connect together

Applications


Future

• Assembling a multi-tier application would be about plugging templates together• Automation would create the Software Defined Network– the networks, subnets, routers, ports etc

• Application deployment “defines” the data center

“Application Driven Data Center”

Applications

Documents

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle’s Next-Generation SDN Platform Andrew Thomas Architect Corporate Architecture