MidoNet gives OpenStack Neutron a Boost

Confidential

MidoNet Gives OpenStack Neutron A Boost January 2015

Confidential

Agenda

▪  Midokura Introduc?on

▪  MidoNet Architecture & Comparisons

▪  MidoNet Packet Walk-‐through

▪  Use Cases

1

Confidential

About the company •  Founded in 2010, Midokura is a global company with offices in Tokyo, San Francisco and Barcelona

•  Pioneer in network virtualiza?on – provides soQware for networking using overlay approach. Pedigree derives Amazon, Cisco, VMware and Google

•  Received $17M first round of funding in April 2013 from Innova?on Network Corpora?on of Japan, NTT and NEC

•  Named by CRN as amongst the top 10 networking stories of 2013 and also amongst 10 coolest startups in the world

2

“800 pound virtualiza?on gorillas like VMware and MicrosoQ that have virtual switch deployments and now network virtualiza?on solu?ons (NSX and HyperV Network Virtualiza?on) will leverage exis?ng rela?onships to encourage this influence as well as gain access to the network teams. That said, key innova?ve startups in the network virtualiza?on space like Midokura will also have the poten?al to help organiza?ons bridge the gap between virtualiza?on and network domains.” – ESG Research

“Network virtualiza?on companies such as Midokura offer network virtualiza?on approaches to compete with visions such as Cisco ACI and VMware NSX, and so they will be watched by mid-‐?er vendors that feel they are missing out on the next network disrup?on opportunity.” – 451 research, an analyst firm

•  First in the industry to bring together network virtualiza?on and bare metal networking with the aim of providing an open network – Cliff Grosner, Infone?cs Research

•  Significant contributor to the OpenStack Networking (Neutron)

•  First SDN vendor to be cer?fied for Red Hat OpenStack environment

•  Early member of the Open DayLight Project (ODP)

•  Broad and deep technical partnerships with network switch vendors, soQware companies and solu?on providers

Confidential

Our Ecosystem Users

Solu?on Providers

Technology Providers

Confidential

Virtual Network Overlays

Decoupling hardware and software •  Cloud-ready agility •  Unlimited scalability •  Open, standards-based •  No impact to physical

network

PROACTIVE SOFTWARE OVERLAY

EVOLUTION OF NETWORK VIRTUALIZATION

INNOVATION IN NETWORKING AGILITY

Reactive End-to-End

Requires programming of flows

•  Limited scalability •  Hard to manage •  Impact to

performance •  Still requires tenant

state in physical network

OPENFLOW REACTIVE APPOACH

VLAN configured on physical switches

•  Static •  Manual •  Complex •  Tenant state

maintained in physical network

Manual End-to-End

VLAN APPROACH

Confidential 5

OVS Plugin Overview

Confidential 6

Overlay Networking GRE Tunnels Uses Open vSwitch Project

Components: •  Neutron OVS Agent •  Neutron DHCP Agent •  Neutron L3 Agent •  IPTables

OVS Open Source Plugin

Confidential 7

OVS Agent - receives tunnel/flow setup info from OVS Plugin, and programs Open vSwitch to setup tunnels and send traffic through the tunnel

DHCP Agent - Sets up dnsmasq in a namespace per network/subnet and enters mac/ip into dhcp lease file

L3 Agent – OVS Plugin orchestrates to set up IPTables, Routing, NAT tables

OVS Open Source Plugin

Confidential 8

Neutron Network Node is a SPOFNeed to use corosync, etc for active/standby failover.

Challenging at Scale Since there’s a single network node, this becomes a bottleneck fairly quickly.

Inefficient Networking IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic and added latency on your physical network

Challenges with OVS Plugin

Confidential 9

MidoNet

Confidential 10

MidoNet Network Virtualiza?on Plamorm Logical L2 Switching -‐ L2 isola?on and path op?miza?on with distributed virtual switching Interconnect with VLAN enabled network via L2 Gateway

Logical L3 Rou?ng – L3 isola?on and rou?ng between virtual networks No need to exit the soQware container -‐ no hardware required

Distributed Firewall – Provides ACLs, high performance kernel integrated firewall via a flexible rule chain system

Logical Layer 4 Load Balancer – Provides applica?on load balancing in soQware form -‐ no need for hardware based firewalls

VxLAN/GRE – Provides VxLAN and GRE tunneling Provides L2 connec?vity across L3 transport. This is useful when L2 fabric doesn’t reach all the way from the racks hos?ng the VMs to the physical L2 segment of interest.

MidoNet/Neutron API– Alignment with OpenStack Neutron’s API for integra?on into compa?ble cloud management soQware

NAT – Provides Dynamic NAT, Port masquerading

Confidential

Architecture Overview

Confidential 12

Logical Topology – Overlay Networks

Confidential 13

Neutron Network Node is a SPOFNeed to use corosync, etc for active/standby failover.

Challenging at Scale Since there’s a single network node, this becomes a bottleneck fairly quickly.

Inefficient Networking IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic and added latency on your physical network

Challenges with OVS Plugin

Confidential 14

MidoNet Distributed Model

Confidential 15

Centralized Controller Model

Confidential 16

MidoNet Distributed Model

Confidential 17

Ac?ve/Standby GW Model

Confidential 18

Fully Distributed GW Model

Confidential

How MidoNet works

19

Confidential

Your

Exi

stin

g In

fras

truc

ture

Your Existing Infrastructure

20

Load Balancer

MidoN

et B

orders

MidoN

et G

ateway

Net

wor

k st

ate

data

base

Cloud Networking Can Be Complicated

Then we add the MidoNet Network State Database

and MidoNet Border Nodes

Then we Install the MidoNet

Agent on all the Hypervisor

Nodes

Overlay needs underlay devices connected over IP

Confidential

Now we can build your Virtual Network

21

Confidential

MidoNet automa?cally creates a Provider Router which connects to the External Network

22

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Let’s Spin up two VMs for a Single Tenant

Subnet 192.168.5.0/24

Address: 192.168.5.1 Allow incoming tcp/22

NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential 23

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Each Tenant also gets their own virtual Tenant Router


Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential 24

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Various rules and subnets can be applied to the virtual infrastructure


Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential 25

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Then the tenant can create VMs and Networks then atach those to the Tenant Router


Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential

All of the virtual topology is stored in MidoNet’s Storage Nodes

26

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential

Now let’s talk about what happens when we send traffic between the two VMs

27

Confidential

First the outbound packet from VM1 is intercepted by the MidoNet agent on the Hypervisor

28

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Confidential 29

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Next, the MidoNet Agent queries Network state database for the virtual topology

Confidential 30

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

Then the MidoNet agent simulates the packet moving through the virtual topology and ac?ons that need to be performed on the packet

Confidential

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Now MidoNet can create a GRE tunnel between the required nodes, and send the packet on its way

31

GRE Tunnel

Confidential

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

32

Finally, the packet is received by the target node and delivered to the VM.

GRE Tunnel

Confidential

MidoN

et G

ateway


Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

33

Subsequent packets follow the already established path, and can travel at near-‐line-‐speed.

GRE Tunnel

Confidential

The process is similar when sending packets to/from the External Network

34

Confidential

MidoN

et B

orders Your Existing

Cloud Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Clo

ud In

fras

truc

ture

35

Provider Router

Tenant Router

Tenant Network

192.168.5.2 192.168.5.3

Subnet 192.168.5.0/24


NAT 192.168.5.2 <-‐> 112.140.32.94

The process is similar for packets star?ng from the Internet... only this ?me the Border Node queries the Storage Nodes for the virtual topology

Confidential

Use Cases

36

Confidential Do it Bigger Do it Faster

Va

lue

Agility

Provide rapid provisioning of isolated

network infrastructure for labs and devops.

Logical Network Provisioning

Automated Provisioning

Isolated Sandboxes

Control

Network admins can better secure, control &

view network traffic.

Single Pane of Glass OpsTools

Enhanced Security

Enable Compliance

Do it Better

IaaS Cloud

Build multi-tenant

clouds with visibility into usage.

Tenant Control

Metering

Automated Self Service

Performance

Improve network performance using edge

overlay & complementary technologies.

Single Hop Virtual Networking

VXLAN Hardware Gateway

Massive performance with 40Gb Support

Scale

Add virtual network infra & services simply & resiliently without

hardware & bottlenecks.

Distributed Logical

Networking FW, LB, L2/3, NAT

Limitless “VLANs”

Scale out L3 Gateway

Bridge legacy VLANs

IPv6

Solution for OpenStack Networking

Use MN to overcome

limitations of Neutron for OpenStack users.

Replaces OVS Plugin

Use Cases

Confidential

VxLAN Tunneling End Point (VTEP)

38

Confidential 39

MidoNet – Cumulus Linux Solu?on

VxLAN Tunnel

Physical Connection

OVSDB

TCP/IP

Confidential 40

MidoNet Advantages

Check out our blog & OSS site: htp://blog.midokura.com/ htp://www.midonet.org Follow us on Twiter: @midokura @midonet

Confidential

Thank You