Embed Size (px)
Citation preview
Smart Software is Indispensable, Smart Networking Hardware is FundamentalAl da Silva, Consulting Systems Engineer, CoE- APAC, Juniper Networks Cedric Rajendran, Staff Engineer-TS, VMware
AgendaValue of the SDDC
SDDC Vision & NSX Overview
Convergence of Overlay & Underlay
Security in the SDDC
Management Integration
Demo
Value of SDDC
Spinning up Server Resources Provisioning
the Network and Security
Tim
e
POST VIRTUALIZATIONWeeks
Seconds
Latency in Communications
Network challenges in real terms
2011 2015
Share of virtualized servers and
storage is growing rapidly
Network was built for bare metal servers
54%
PHYSICAL COMPUTE
29%
PHYSICAL COMPUTE
100%
0%
Time
46%VIRTUAL COMPUTE
71%
VIRTUAL COMPUTE
VMware’s SDDC Vision
Software-Defined Data Center Priorities:
Data Center
Virtualization and
Standardization
Streamlined and
Automated Data
Center Ops
Security Controls
Native to
Infrastructure
High Availability
and Resilient
Infrastructure
Application and
Infrastructure
Delivery
Automation
Software-Defined Data Center Outcomes:
CapEx Reduction OpEx Reduction Effortless Security Improved Uptime ITaaS
7
NSX Perspective
MetaFabric Guiding Principles
Easy to buy
Easy to deploy
Easy to operate
Easy to secure
Simple
Embrace open standards
Enable choice
Alleviate lock-in
Standard APIs
OpenSmart
Self-healing
Proactive
Event Correlation
Security intelligence
• DC Switches
• Any topology
• Fabric technologies
• Operational ease
• Highly available
• Massively scalable
• Open standards
• API/tool automatable
• DC Switches
• Any topology
• Fabric technologies
• Operational ease
• Highly available
• Massively scalable
• Open standards
• API/tool automatable
• VXLAN switching
• NSX SDN-overlay
bridging gateway
• In-hypervisor &
in-switch cloud
analytics engine
• Adaptive load
balancing of
“elephant & mice”
flows / flowlets
• VXLAN switching
• NSX SDN-overlay
bridging gateway
• In-hypervisor &
in-switch cloud
analytics engine
• Adaptive load
balancing of
“elephant & mice”
flows / flowlets
• Best-of-breed WAN
and DCI routing
• VPLS and E-VPN
• NSX SDN-overlay
routing gateway
• Universal SDN
Gateway for multiple
VXLAN & MPLS
overlays
• In-VM-Router
scaling to 160Gbps
• Best-of-breed WAN
and DCI routing
• VPLS and E-VPN
• NSX SDN-overlay
routing gateway
• Universal SDN
Gateway for multiple
VXLAN & MPLS
overlays
• In-VM-Router
scaling to 160Gbps
• Web 2.0-style GUI
• Manage DC network
• Correlate physical
and virtual networks
• Monitor vMotion
• Analytics collector
with network and in-
VM application
visibility
• Web 2.0-style GUI
• Manage DC network
• Correlate physical
and virtual networks
• Monitor vMotion
• Analytics collector
with network and in-
VM application
visibility
• NSX hypervisor FW
and virtual network
micro-segmentation
• Juniper DC L2-7
perimeter with high-
performance NGFW
• Juniper in-VM FW
offers Anti-APT/UTM
with vSphere-
integrated
management
• NSX hypervisor FW
and virtual network
micro-segmentation
• Juniper DC L2-7
perimeter with high-
performance NGFW
• Juniper in-VM FW
offers Anti-APT/UTM
with vSphere-
integrated
management
High-Performance
DC Fabrics
Virtual Networking
Intelligence
Data Center
Interconnect
Joint Management
and Automation
Complementary
Network Security
Juniper’s MetaFabric Differentiators
1. Seamless forwarding across physical and virtual infrastructure
2. Virtualization-aware network management and orchestration
3. Analytics and visibility of both physical and virtual
BETTER
TOGETHER
NSX Virtual Networking Physical-to-Virtual Switching & Routing
• Maximize agility and flexibility
• DC programmatic control
• Common policy across DC
• High performance and scalable
• Secure and reliable foundation
• Physical-Virtual Ops. simplification
VMware Compute Virtualization VM-aware Management and VNFs
+
+
SDDC: Virtualization & Automation MetaFabric: Performance & Automation
NOW YOUR
NETWORK IS
plugged into
THE SDDC
Convergence of Overlay & Underlay
How overlays treat the network
IP Network
SDDC
How the network actually is
SDDC
VXLAN replication modes - Multicast
Standard VxLAN implementation (RFC7348)
Multicast in the underlay
Data Plane Learning (i.e. No controller required for endpoint learning)
VXLAN replication modes - Unicast Mode
Proprietary unicast replication method.
Unicast to remote UTEP with replicate locally bit set
Default option while configuring VNI
Not recommended for large scale deployments.
VXLAN replication modes - Hybrid Mode
Only medium to large scale deployment option.
Underlay performs L2 multicast replication.
Unicast to MTEP for L2 replication in other VxLAN transport zones.
Overlay attributes
• L2 extension over Layer 3 underlay
• Any to any at massive scale, up to 16 million logical segments
• Overlay address are hidden from underlay
VMware NSX Overlay Tunnels
Underlay attributes
• Ideally a single element to manage (One Fabric)
• All links active 100% of the time
• All features on every port
• Predictable latency and performance
• In Service Software Upgrade
VxLAN
VxLAN
VTEP – Virtual Tunnel End Point
SDDC : The Network Perspective
What you DO get
with SDDC Networking
L2 transport over L3 network
Increased logical scale
Application Orchestration and Provisioning
Logical separation of tenants and apps
What you DON’T get
with SDDC Networking
Software upgrades
Configuration of the underlay
Routing protocol configuration
Provisioning of new nodes and core facing links
Management and monitoring of network elements and interactions
All Devices Need to CommunicateProvide SDN-to-non-SDN translation, same IP subnet
Layer2
SDN to IP (Layer 2)
Layer3
Provide SDN-to-non-SDN translation, different IP subnet
SDN to IP (Layer 3)
Provide SDN-to-SDN translation, same or different IP subnet, same or different overlay
SDN
SDN to SDN
WAN
Provide SDN-to-WAN translation, same or different IP subnet, same or different encapsulation
Remote
Data
Center
Public
CloudInternetSDN to WAN
Virtual Chassis Fabric – The Ideal SDDC Fabric
Single point of management
Ethernet Fabric – L2/L3 for entire DC or Pods
Single VTEP/L2 Gateway on any port (with OVSDB integration)
Simplified multicast support (No need for PIM)
Flexibility in size, interface types, future expansion
Spine-Leaf topology for predictable performanceand maximum resilience
AFS for even ECMP distribution of traffic (Elephant Flow Handling)
Virtual Chassis Fabric
…
…
How VCF presents the network
Single Switch Management
Plug and Play Implementation
VTEP Anywhere
Deterministic Performance
Flowlet based load balancing
Set and forget operation
SDDC
Load balancing among N trees
• BUM traffic : VLAN-ID (hw-token) mapped to tree-id
• Known multicast: multicast next-hop (IPMC) assigned to tree-id
VCF – Bidirectional Multicast Distribution Trees for BUM and multicast
• Multicast Distribution Trees (MDT)• One minimal cost tree rooted at
each node
• Total of N trees
• Shared among all members to carry
traffic in both directions
• Benefits:• Predictable latency and replication points
• Automatic load rebalance on topology
change
SW 4SW 1 SW 2 SW 3
SW 5 SW 16
…
L1 L2 L3 L4
RE RE
IGMP Snooping Configurationigmp-snooping {
vlan VXLAN {
l2-querier {source-address 10.10.10.254;
}
interface ae0.0 {
multicast-router-interface;
}
interface ae1.0 {
multicast-router-interface;
}
interface ae2.0 {
multicast-router-interface;}
}
vlan default;
}
VLAN203 {
vlan-id 203;
}
VXLAN {description "This is the VLAN created to enable inter-
host VXLAN overlays";
vlan-id 1001;
l3-interface irb.1001;
}
default {
vlan-id 1;
}
IP Fabric Multicast Complexities
Spine
Leaf
IP Fabric
IGMP Snooping Configuration
PIM Multicast Routing
Intelligent Underlays: Adaptive Flowlet Splicing
Dynamic load balancing algorithm for VCF
TCP flow splicing
No packet re-ordering
Load and queue depth measures used for flowlet balancing
Better ECMP utilisation for overlay and underlay traffic.
More predictable and balanced performance
VN VN VN
…
ove
rlay
un
de
rlay
Virtual Chassis Fabric
…
InternetInternet
MX (USG)
Virtual & PhysicalSecurity
QFX, EX, and QFabic Switching
Private Cloud
MX (USG)
Virtual & PhysicalSecurity
QFX, EX, and QFabic Switching
Private Cloud
Hosted/ManagedHosted/
Managed
MX (USG)
Virtual & PhysicalSecurity
QFX, EX, and QFabic Switching
Private Cloud
MX (USG)
Virtual & PhysicalSecurity
QFX, EX, and QFabic Switching
Private Cloud
Public Cloud(Hybrid)
Public Cloud(Hybrid)
Junos Space
Network Director
WANWAN
Multi-Data Center, Multi-Cloud, One Network Architecture
Campus and Branch
Campus and Branch
ANY NETWORK OR SDN
Networking End to End
MX-Series – Universal SDN Gateway
VMware NSX/BMS Pod 1 VMware NSX/BMS Pod 2
WAN
GW
Layer 2
GW
Layer 3
GW
SDN
GW
VMware NSX/BMS Pod nDC 1 DC 2
WAN
DC #1
DC #2 DC #3
Ethernet VPN Advantages
• Traffic is load balanced across all WAN links
• MAC tables are populated via control plane
unicast (similar to BGP L3VPNs)
• No packet flooding on the WAN
Ethernet VPN Advantages
• Traffic is load balanced across all WAN links
• MAC tables are populated via control plane
unicast (similar to BGP L3VPNs)
• No packet flooding on the WAN
Layer-2 Stretch Between Data Centers
EVPN and VM Traffic Optimizer on the MX
DC #1 DC #2
WAN
VM
Original path Usual path after VM migration VM-TO path
VM L2 Location Awareness with VM-TO
• VM Traffic Optimizer detects L2-connected VMs
and their migration across data centers
• Dynamic WAN gateway optimization
• Avoid traffic trombones with normal EVPN
Security in the SDDC
29
Enemies in Your Internal Network: The Zero Trust Use Case
Major security breaches originate from a compromised low security system with low security internal network access, this is used to attack high value targets
East-west traffic comprises around 80% of datacenter network traffic on average (Gartner/ixiacom)
Network architects have attempted to increase security by dividing the network into an ever increasing number of network segments
Even with the large number of network segments, traditional firewalls are unable to control the traffic of IP adjacent workloads
30
Security follows the Virtual Machine
31
Micro-Segmentation
�Fine-grained policies enable firewall controls and advanced security down to the level of the virtual
NIC.
�The NSX Distributed Firewall (DFW) can apply firewall rules before traffic ever hits the (virtual) wire
�Performance is near line rate
�DFW allows the application of firewall policy to IP adjacent virtual workloads
�Integration with the industry’s leading security products
The Solution Landscape is Expanding
Router/SLB/etc.
Stand-AlonePhysical Security
Appliance
Secure Fabric (Silicon)
VM
Security Service
VT-xEmbedded Compute Chipset
Hypervisor
VA
Hypervisor Kernel Module
Virtual Appliance with API Hooks
VASDN
Host OS
App A App B App C
PaaS
1
2
3
4
5
6
78
9
Stand-alone Virtual Appliance
SDN Service
Lib
raries
10Containers or PaaS
Cloud Services
VT-x
Hypervisor
VM
11
12
In a guest OS/VM or App (Virtualized or Bare Metal)
SRX Series
SRX
Hypervisor
vSRX
VM VM VM VM
Virtual Network
MANAGEMENT AND SECURITY SERVICES
Security
DirectorJuniper Secure Analytics
JSA
SERVICES VSRX
Firewall
IPS
DoS Prevention
AppSecure
DoS
Integrated Physical and Virtual Security
SRX Series Services Gateways
2Tb
Up to 2 Tbps FW
throughput and 100 million
concurrent sessions scaling
High-End SRX
Single Junos
Unprecedented ScaleIntegrated Routing, Switching and Security
1G
10G
Branch SRX
SRX3400
SRX100
SRX210SRX220
SRX240
SRX650
BRANCH CAMPUS DATA CENTER
SRX110
SRX550
SRX1400
SRX3600
SRX5400
SRX5800
SRX5600
Dramatically increases secured traffic with
extremely high bandwidth flows
Suitable for express downloads and data
transfers of large amounts of data
Reduces packet path latency
Price/Performance gains
Maximum Performance and Scale Express Path – Elephant Flows
10G/40G/100G links
Site/Campus LAN
Data Transfer Cluster
SRX5000
Project Y DTN
Project X Data Transfer Node
Science DMZ Switch/Router
Area Border Router Enterprise Border Firewall
Site/Campus Access to Science
DMZ resources
10G/40G/100G links
SRX in Virtual Format
Junos Routing Protocols and SDK
Junos Rich and Extensible Security Stack
Firewall
VPN
NAT
Routing
Anti-Virus
Web Filtering
Content Filtering
Anti-Spam
AppTrack
AppFW
AppQoS
IPS
Junos Space – Security Director & Virtual Director, CLI, JWEB, SNMP, HA/FT
PERIMETER
SECURITY
CONTENT
SECURITY
APPLICATION
SECURITY
Virtual Security Solutions
Do make sense…
x86 Box
One virtual instance of anti-malware software + one virtual instance
of anti-malware signature database
Hypervisor
VM VM VM VM VM VM VMVM VM VM VM VM
vSRX
Higher guest virtual machine densities
Higher performance for critical
applications and business processes
Easy deployment and automatic
protection of the newly created virtual
machine
Security gaps are eliminated (e.g. instant-on-
gaps, scanning storms etc.)
Higher return on investment
Management Integration
39
Today’s Reality in Operations Management
Monitoring Data Overload Alert Storms
Finger Pointing
N/w
VI Storage
Over-provisioning
Status QuoGoal
• Are you able to meet or exceed service level expectations?
• Can you remediate issues before end users are impacted?
Quality of
Service
• What is your average Mean Time to Incident & Resolution?
• Do you manage your infrastructure capacity?
Operational
Efficiency
• Is your IT infrastructure compliant to regulatory standards?
• Can you proactively enforce IT standards in your organization?
Control
and
Compliance
40
Operations Management Goals
41
NSX Operations Dashboard
NSX deployment compliance checks
Health of VM’s hosting NSX services
TopN stats including VXLANs, VM’s
Health, capacity, performance views of
all NSX services deployed
42
NSX Visibility Open Alerts
Top N logical networks and
VMs
Health of the NSX
components
Heat map of the hypervisor in NSX
Transport Zone
All NSX resources
Compute NetworkStorage
vSphere / ESXi(Compute Virtualization)
NSX(Network Virtualization)
vSAN(Storage Virtualization)
vCenter
vRealize Automation
(formerly vCAC & vCloud Director)
vRealize
Log Insight
Physical
Hardware
Virtualization
Management
& Operations
Cloud
Orchestration
vRealize Operations(vCenter Ops)
Network Director
Juniper
VMware
• QFX5100• EX9200• MX
L2 Gateway
• EX9200• MX
L3 Gateway
Technology Integration1) Smart forwarding across physical
and virtual infrastructure
2) Analytics & visibility of both physical and virtual
3) Management & orchestration
4) Application/flow-based traffic handling
• vSRXL4-l7
Firewall Services
Custom DevOps/ITSM
Integrated Management, Orchestration & Automation
Network Director Overview
---------- B/OSS, ITSMs, DevOps, Platforms & Apps ---------
Junos Space
ND App
Web 2.0 GUI
Op
en
RE
ST
ful A
PI
Junos OS
NE
TC
ON
F
DM
I
Integrated Management, Orchestration & Automation
Network Director-to-VMware Integration Overview
controller
……server
VISUALIZE ANALYZE CONTROL
Holistic and correlated view
� Data center and campus topologies
� Correlated server/VM/network visibility
� Overlay and underlay connectivity
� Physical and virtualized connectivity
Smarter and Proactive Networks
� Built-in collection and correlation engine
� Heat map and root-cause analysis
� Telemetry for overlays & underlays
� Inter-VM network trace and flow analysis
Lifecycle and Workflow Automation
� Scalable multi-site management
� Provisioning templating and planning
� Fabric automation and management
� Data center fabric management
Physical & Virtual Visibility in Junos Space ND
Data Center Topology and Devices
Physical to Virtual Topology
NSX Overlay Networks Topology
Monitoring in Junos Space ND
Network Telemetry – VM bandwidth monitoring
s1>show analytics overlay vxlan
VNI Green: VM1, VM2, VM6, VM7
VNI Blue: VM5, VM10
VNI Red: VM3, VM4, VM8, VM9
s1>show analytics overlay vxlan
VNI Green: VM1, VM2, VM6, VM7
VNI Blue: VM5, VM10
VNI Red: VM3, VM4, VM8, VM9
Overlay Awareness
JOINT-OPS
ADVANTAGES
• VXLAN ping, traceroute, VM path
visibility
• Insightful metrics monitoring
• Faster troubleshooting and planning
• Proactive & passive application QoE
• Correlate & coordinate network and
apps
Exceptional Networking Analytics
KVM
VM VM VM VM VM VM VM VM VM
KVM KVM
VN VN VN
……
ove
rlay
un
de
rlay
co
mp
ute
CAE Flow/App Visibility & Analysis
VMs/Apps, Hosts, Networks Flow-path Analytics
• Network Telemetry
• App Placement
• Troubleshooting
• Watch lists
• Health & capacity assessment
• End-to-end and per-hop
analysis
• Unhealthy VMs/apps/hosts
• Physical/virtual correlation
• Topology visualization
• Simple end-to-end mirroring
Juniper Inventory Tree
Object Level Dashboard
Juniper Infrastructure Overview Dashboard
Juniper Top Network Fabrics Dashboard
Fault – Drill Down
Device Down Alert
Launch to Network Director
Launch to Network Director
Summary
�SDDC will improve agility of the DC
�Network overlays are here to stay as the predominant form of SDN
�Network overlays abstract service models but do not transform network hardware
�Plug and play fabrics converge how the network is with how SDDC sees it
�Bare metal servers and physical network connectivity needs to be considered
�Coherent physical and virtual end-to-end visibility is critical
�The network must not be an inhibitor to innovation
The SDDC is compelling but network alignment is important
BETTER
TOGETHER
+
