Multi-Vendor Service Orchestration
& Network automation for today’s networks
(. . . and for NFV)
Joachim Jerberg Jensen
Systems Engineer, Global Service Providers
CCIE SP #42403
joajense@cisco.com
Confidential
1
Agenda
• Introduktion til Infrastructure Programmability
• Hvorfor?
• NETCONF/YANG
• Network Service Orchestrator (NSO)
• Kunde use cases
Confidential
2
From Device Centric to Network-­‐as-­‐Platform
Network-­wide orchestration replaces the individual device config. This allows network wide service definition and deployment
Orchestration
SDN Controller
Config Plane
Control Plane
Data Plane
Device centric view
Network-­wide view
Confidential
The SDN controller behaves like a centralized control plane for network wide policy & control. Examples of network wide policies include application-­
aware routing, multi-­layer traffic optimization, bandwidth calendaring & scheduling.
What need on the device?
• Packet forwarding
• Efficient route distribution • Rapid convergence with local failure detection and repair
• Local features: L1 features, OAM/PM, QoS, Timing, mcast replication …
3
From device-­‐centric to network-­‐as-­‐platform …
Phase 1
Orchestration
NSO
Phase 2
Orchestration
NSO
SDN WAE
Controller
ODL
Centralized service provisioning Work with existing network devices
Confidential
On Device Minimal but sufficient
AN: Autonomic Networking
SR: Segment Routing
VPN services: eVPN + static PW
4
Cisco Architectural Evolution
API’s/Protocols – Consolidation is happening
Application Frameworks, Management Systems, Controllers, ...
“Protocols”
OpenFlow
I2RS
PCEP
BGP-­‐LS
BGP-­‐SR
Ouantum
Management
Orchestration
Network Services
Control
Forwarding
Device
Confidential
OMI
Puppet
Netconf
OMI
Puppet
Netconf
Neutron
BGP
Diameter
Radius
SNMP
…
PCEP
BGP-­‐LS
BGP-­‐SR
I2RS/I2SS
OpenFlow
Operating Systems – IOS / NX-­‐OS / IOS-­‐XR
5
What is NETCONF?
qNETCONF is an IETF network management protocol designed to support management of configuration, including: §
Distinction between configuration and state data §
Multiple configuration data stores (candidate, running, startup) §
Configuration change validations §
Configuration change transactions §
Selective data retrieval with filtering §
Streaming and playback of event notifications §
Extensible remote procedure call mechanism
qNETCONF server runs on networking device and client runs as part the management application.
Confidential
Configuration data
<get-­‐config>, <edit-­‐config>, <notification>
<rpc>, <rpc-­‐reply>
BEEP, SSH, SSL, console
XML payload, modeled in YANG.
<get>, <get-­‐config>, <edit-­‐config>, <copy-­‐config>, <delete-­‐config>, <lock>, <unlock>, <close-­‐
session>, <kill-­‐session>, <notification>, <commit>…
6
YANG YANG (RFC6020 etc.) is a data modelling language
•
•
•
“Yet Another Next Generation“ – developed after the NG-­‐SNMP fiasco
Data modelling for NETCONF protocol, and more: XML conversion, visualization, code generation...
NETCONF/YANG‘s ambition is to provide the ultimate multi-­‐vendor R/W element and service management, thus an open standard programmability architecture
Example: change
an interface IP address
ietf-­interfaces.yang
Example: c
onfigure
interface IP address
YANG vs. SNMP
YANG
SNMP
Framework
(definition language)
YANG
SMI
Content (information model)
YANG module
MIB
Payload
(encoded data)
XML (ASCII)
ASN.1 BER (binary)
Protocol
(remote access)
NETCONF,
RESTCONF
SNMP
IOS Yang Support: XR-XML, XR-YANG (5.1.1 LA/SMU), xOS-YANG (5.3-5.4)
Confidential
container
interfacesencoding="UTF-8"?>
{
<?xml
version="1.0"
description
"Interface
configuration parameters.“;
<rpc
message-id="9”
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
list interface { key "name“;
<edit-config>
leaf
name { type</target>
string; }
<target>
<candidate/>
description { type string; }
<configleaf
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0”>
leaf xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
type {
<interfaces
type identityref {
<interface>
base interface-type;
<name>GigabitEthernet0/0/0/0</name>
}
<ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip”><address>
mandatory true;
<ip>10.1.1.1</ip>
}
<prefix-length>24</prefix-length>
leaf enabled {
</address></ipv4>
type boolean;
</interface>
default "true";
</interfaces>
}
</config>
leaf link-up-down-trap-enable {
</edit-config>
<commit/>type enumeration {
enum enabled { value 1; }
</rpc>
...
]]>]]>
7
YANG abstraction example
Cisco NSO/Tail-F – Abstraction Capabilities using Modeling language (Netconf/Yang)
Abstraction enabled with the decoupling of Service Layer
to the Underlying Device/Infrastructure Layer NED 1
Confidential
NED 2
8
NED ‘N’
8
Cisco Orchestration and SDN Strategy
High Level View
CFS
BSS
• Model-­‐driven end-­‐to-­‐end service OSS
Network Service Orchestrator (RFS)
RFS
Multi-­‐layer
WAN SDN
• Seamless integration with existing and future OSS/BSS environment
Infrastructure
Configuration-­‐based
Provisioning
lifecycle and customer experience in focus
DC & NFV C ontroller
• Loosely-­‐coupled and modular architecture leveraging open APIs and standard protocols
• Orchestration across multi-­‐domain and CPE
Metro and Access
WAN
Data Center
EMS
Confidential
multi-­‐layer for centralized policy and services across entire network
9
Cisco Orchestration and SDN Strategy for SPs
NFV View
• Generic Orchestration architecture that spans physical and virtual domains and migration
• Generic architecture for different use cases BSS
including mobility, vCPE and virtual Managed Services
OSS (Prime Service Catalogue, etc.)
Network Services Orchestrator NFVO
CTCM / ESC
VNF
Manager(s)
VNF3
VNF2
VNF1
Openstack
EMS
Hypervisor
PHYSICAL INFRASTRUCTURE
Confidential
Virtualized
Infrastructure Manager(s)
SDN
Controller
DC Overlay SDN
NFV INFRASTRUCTURE
10
Tail-f At-a-Glance
• Founded in 2005
§
Disruptive Service Orchestration software
• HQ in Stockholm, Sweden
§
Reduces time & efforts to develop & provision
services in a Multi-Vendor network
§
Early leader in the fast-growing NFV market
• US Office in Silicon Valley
• Software product company
• Multi-vendor Service Orchestration & Network Automation
• Service Orchestration for NFV/SDN
(and today’s networks !)
• Centralized Network Control – SDN
Blue Chip Customers
• 100+ customers world-wide
• 7 out of 10 world’s largest network equipment vendors
• Early NFV leadership – multiple deployments
• Target Markets
• Service Providers
• Cloud providers / Data Centers
• Network Equipment Vendors
Confidential
11
Tail-f NSO
Confidential
(Network Services Orchestrator)
12
Reality: An Ambitious Layer 3 VPN
Peering VLAN,
subinterface, and eBPG
SVI connectivity
and highavailability
configuration
Transit VLAN
Tenant A
156.5.5.5
VLAN 801
VM
OS
EXT 1
ASR 1
ASR 2
AS
64554
EXT 2
VLAN 801
Routes to enterprise
networks need to be
established
Provider Edges
Layer 3 IEEE 802.1Q subinterface
OpenStack
Computing
Node
Data Center
Layer 2 VLAN
Tenant Private VRF
OpenStack Layer 3 Neutron
Confidential
13
Network Orchestration Layer
BSS/OSS
Network Service Request
Service Attributes
Network Orchestration Layer
Agility : Model-­‐Driven
Operations: Network Transactions
Minimal
Device Configuration
New Service Type: 2 days
New Device Type: 2 weeks
Confidential
14
NSO Overview
OSS/BSS
Portals
Python, REST, Java
Network
Engineer
Network-wide CLI, WebUI
Tail-f Network Control System
Service Manager
Service
Models
Device Manager
Network
Element Drivers
OpenFlow
Device
Models
Multi-vendor
Transactions
Model-driven
NETCONF, XML, CLI, SNMP…
Large Multi-Vendor Networks:
Hardware, Virtual, OpenFlow
Confidential
15
15
Tail-f NSO Main Features
Tail-f NSO Main Features
Tail-f NSO
•
Model-based architecture
•
Transactional guarantees
•
In-memory storage of
configuration states for all
services and all devices
•
FastMap* algorithm for
service-layer CRUD
operations
•
Reactive FastMap*
* Patent No.: US 8,533,303 B2
Confidential
16
Tail-f NSO Main Feature 1: Model-Based Architecture
BSS
Service
Models
Tail-f NSO
Device
Models
No hard-coded assumptions about:
•
Network services
•
Network architecture
•
Network devices
Instead:
•
Data models written in YANG
(RFC 6020)
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
Confidential
17
Tail-f NSO Main Feature 1: Model-Based Architecture
BSS
YANG data models for:
Service
Models
Tail-f NSO
Device
Models
•
Network services
•
Network topology
•
Network devices
YANG data models drive:
•
Northbound APIs
•
User interfaces
•
Southbound command sequences
Benefits:
•
Can be used for all types of
services and all types of networks
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
Confidential
18
Tail-f NSO Main Feature 2: Transactional Guarantees
BSS
Transactional guarantees:
Tail-f NSO
Transactional
Integrity
•
Help ensure fail-safe operations
(automated handling of
exceptions)
•
Keep accurate copy of network
configuration state in Tail-f NSO at
all times
Benefits:
•
Automation can be based on
accurate real-time view of service
and network state
•
Much higher degree of automation
possible
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
Confidential
19
Tail-f NSO Main Feature 3: In-memory Data Store
Tail-f NSO
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
Confidential
•
Stores both service and device config
states
•
RAM datastore with persistent
journaling
•
Runs as integral part of NSO
application (in the same address
space)
•
Native YANG database with compact
binary data encoding
•
1:N data replication (asynchronous or
synchronous)
•
Subscription notifications with priority
level ordering
•
In-service schema (data model)
upgrade
•
Distributed 2PC transaction manager
20
Tail-f NSO Main Feature 4: FastMap* Algorithm
CREATE SERVICE
UPDATE SERVICE
DELETE SERVICE
REDEPLOY SERVICE
Tail-f NSO
FastMap:
•
Only the CREATE operation needs
to be specified
•
UPDATE, DELETE and REDEPLOY
operations are automatically
generated and compute minimal
change set needed
FastMap*
Benefits:
•
Reduces service implementation
code by two orders of magnitude
•
Supports modifications of services
at runtime
* Patent No.: US 8,533,303 B2
Confidential
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
21
Tail-f NSO Main Feature 5: Reactive FastMap*
CREATE SERVICE
UPDATE SERVICE
DELETE SERVICE
Tail-f NSO
REDEPLOY SERVICE
FastMap*
Changed network state triggers service redeploy
Benefits:
One algorithm supporting:
•
Provisioning
•
Orchestration
•
Elasticity
•
Virtual machine and VNF
mobility
•
Self-healing network
* Patent No.: US 8,533,303 B2
Multivendor Layer 2, Layer 3, and Layer
4-7 Network
Confidential
22
NSO Overview, Zoom 3
Network
Engineer
OSS/BSS
NETCONF
NSO
REST
CLI
EMS/NMS
Web UI
SNMP
JAVA/Javascri
pt
Service
Models
Service Manager
Script API
AAA
Package
Manager
Mapping
Logic
Core Engine
Templates
Fast Map
Developer
API
Alarm Manager
Notification Receiver
REST
Device
Models
OpenFlow Controllers
Network Element Drivers
NETCONF SNMP
Device Manager
CLI
WS
Openflow Switches
Multi-Vendor Network
Confidential
23
23
Device Manager
• Configuration database
• Policies and templates
• Device model management
• Configuration validation
• Version management
• Network configuration audit
• Transactions and rollbacks
• System-­‐wide access control
• Pre-­‐provisioning with dry-­‐run • Notifications
configuration
• Configuration sync
• Device groups
Confidential
• Automatic integration to
Netconf, Cisco CLI, SNMP
devices
24
24
Service Manager
• Service modeling
• Dynamic update
northbound interface
from service model
• Mapping to device
model
• Service activation and
Confidential
modification
• Validation of service
configuration
• Service check-­‐sync
• Maintaining
relationships between
services and devices
25
25
CDB
qStores configuration data
qMultiple datastores per Netconf standards
qACID test compliant
qMemory resident with file system journaling for persistence
q1:N data replication
qIn-­‐service data model update
Confidential
26
26
NED
qUsed to communicate southbound (to device)
qReplace proprietary adaptors
qCompletely model driven
qNo coding required:
• Netconf NED
• CLI NED
• SNMP NED
qGeneric NED
• For device does not support above, but can use: REST, Cobra, XML-­‐RPC, etc.)
qNEDs are constantly being created and updated.
Confidential
27
27
NED Overview
• NED’s are created and maintained by Cisco Engineering.
• NED’s are classified as either Production or POC grade by Cisco Engineering.
• Production Grade
• Can be sold as a license
• Used in production today and continuously tested towards all active NCS/NSO versions on
real equipment (reference hardware and software versions).
• Fully supported by the Cisco Support team.
• It covers at least the use cases of its current customers and the coverage is continuously
expanded.
• Messaging to customers: The NEDs you purchase will support all the configuration you
require for when you need it
• Provided that the customer has support contract, makes available the required configurations in
advance.
• POC Grade
• Can be used for demos or POC’s.
• Can be sold if upgraded to Production Grade.
• Not tested continuously on real equipment.
• Messaging to customers: The NED can show case NCS towards the devices in a POC but for a
real deployment, the NED needs to be upgraded to production grade.
Confidential
28
Supported Vendors
Production Grade
Confidential
PoC Grade
29
Current NED Library
Production grade
NEDs coverage
Vendor
Device/Platform
Vendor
Device/Platform
Vendor
Device/Platform
Adtran
Total Access 900 Series
Cisco
IOS
F5 Networks
Adva
Carrier Ethernet FSP 150CC Series
Affirmed Networks
Acuitas Service M anagement S ystem Alcatel-­‐Lucent
7210 Service Access S witch 7750 Service Router 7450 Ethernet Service S witch 7705 Service Aggregation Router 7750 Service Router 7950 Extensible Routing System
BIG-­‐I P 1600 BIG-­‐I P 3600 BIG-­‐I P 3900 BIG-­‐I P 6400 BIG-­‐I P 8900 BIG-­‐I P V irtual Edition Viprion Chassis
Fortinet
FortiGate
FortiGate
FortiGate
FortiGate
Huawei
NE40E Series Quidway S3300 Series Enterprise Network Simulation Platform
Juniper
EX S eries Ethernet Switches M S eries M ultiservice Edge Routers MX S eries 3D Universal Edge Routers QFX S eries SRX Series S ervices Gateways Firefly Perimeter (Virtual SRX) Overture
1400
Ciena
3000 Family 5000 Family IOS XR
ESM
Cisco
ASA
IOS
Confidential
IOS XE
ASA 1000V Cloud Firewall ASA 5500-­‐X S eries Next-­‐Generation Firewalls NX OS
800 Series Routers 1800 Series I ntegrated Services Routers 1900 Series I ntegrated Services Routers 2500 Series Routers 2600 Series M ultiservice Platforms 2800 Series I ntegrated Services Routers 2900 Series I ntegrated Services Routers 3800 Series I ntegrated Services Routers 7200 Series Routers 3900 Series I ntegrated Services Routers 7200 Series Routers 7600 Series Routers Catalyst 2900 S eries Switches Catalyst 3550 S eries Intelligent Ethernet Switches Catalyst 4500 S eries Switches
Catalyst 4900 S eries Switches Catalyst 6500 S eries Switches ME 3400 S eries Ethernet Access S witches ME 3600X Series Ethernet Access S witches ME 3800X Series Carrier Ethernet Switch Routers ME 4900 S eries Ethernet Switches uBR10000 Series Universal Broadband Routers
ASR 900 Series Aggregation Services Routers
ASR 1000 Series Aggregation Services Routers
CSR 1000V S eries ASR 9000 Series Aggregation Services Routers Carrier Routing System IOS XRv Router Nexus 3000 Series Switches
Nexus 5000 Series Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 1000v Series S witches
Quantum Policy Suite for Mobile 2200
5000
5100
StarOS
6000
ASR 5000 Series
200 S eries
3000 S eries
800-­‐600 Series
Virtual Appliances
Palo Alto Networks
PA-­‐2000 Series PA-­‐3000 Series Virtualized Firewalls Quagga
Quagga Routing Software Suite (BGP module)
30
Current NED Library
POC grade
NEDs coverage
Vendor
Device/Platform
Vendor
Device/Platform
A10 Networks
AX S eries
Citrix
Netscaler 1000v
Accedian
High Performance Service Assurance MetroNID
Clavister
cOS Core
Affirmed Networks
Acuitas Service M anagement S ystem Alcatel-­‐Lucent
5620 Service Aware Manager
Dell Force10
Networking S-­‐S eries
Allied Telesis
x210 Series
Ericsson
EFN324 Series
SE family
Arista
7150 Series
Avaya
ERS 4000 Series
SR 8000 Series
VSP 9000 S eries
H3C
S5800 series
Infinera
DTN-­‐X Multi-­‐Terabit Packet O ptical Network Platform
Juniper
Contrail Controller
NEC
iPASOLINK family
Nominum
DCS
Open v Switch
OVSDB (shell)
Brocade
ADX S eries MLX S eries NetIron CES 2000 Series
Vyatta 5400 v Router (Vyatta VSE) CableLabs
Converged Cable Access Platform
Cisco
ME-­‐4600
Pulsecom
SuperG
Prime Network Registrar Riverbed
Steelhead Series
UCS Manager
Sonus
SBC 5000 Series
Confidential
31
Tail-f NSO Differentiation: Agility and Flexibility
Implementation of new service = 2 days
How?
Data model for MPLS L3 VPN service:
100 lines of YANG
Mapping MPLS L3 VPN service model to
network of Cisco 7600, Cisco ASR 9K
and 3.party devices:
300 lines of XML template
Confidential
Support for new device type = 2 weeks
How?
Develop YANG device model
Network Element Driver automatically
generates sequences of device-specific
commands (CLI, REST, SOAP, SNMP,
NETCONF, etc).
How?
How?
FASTMAP algorithm
NED algorithm
32
32
NSO for Network Engineers – User Interfaces
Auto-rendered Web UI with
powerful extensibility features
Confidential
IOS-XR or J-style CLI for networkwide configuration changes
33
Customer Use Cases
Confidential
34
Deutsche Telekom NFV example: Everything-as-a-Service
Tail-f
NSO
Virtualized Network Functions
NFV applications in
TeraStream, controlled
by Tail-f NSO:
Confidential
•
VPNs
•
Triple-Play
•
IPv4
•
DNS
•
DHCP
•
IMS / SBC (TBD)
•
CDN (TBD)
1.27.2016
35
35
Customer Example: VPN Provisioning
Business Challenge:
Benefits with NSO:
Fast delivery of various types of VPNs (L2 and
L3) and Carrier Ethernet 2.0 services for traffic
separation in a dynamic, programmatic way.
•
Confidential
Provision complex VPNs spanning
50,000+ devices from multiple vendors
using network-wide, transaction-safe
features
•
Juniper MX series core routers
•
•
Cisco for PE
Overture, Adtran and ADVA for CE
•
Develop VPN services using CLI templates
of Java
•
Support for provisioning, updating and
removing VPNs using minimal diffs
•
API integration with customer self-service
portal, OSS, and analytics systems
36
Twitter: Datacenter Network Automation
Business Challenge:
•
Benefits with NSO:
Scaling operations by programming
network vs error-prone manual process
& scripts
Network
Engineers
Perl
Scripts
Config
file
backup
•
Network automation = free up engineer’s time
•
Auto-rollback & no more config errors
Networking
Applications
Network
Engineer
NSO
Cisco, Juniper, F5, A10, PAN, etc
Confidential
Cisco, Juniper, F5, A10, PAN, etc
37
Customer Example: Firewall Rules Management
Business Challenge:
Benefits with NSO:
Automation of firewall provisioning and
distributed ACL rules management
• Manage ACL rules across multi-vendor
network (e.g. Cisco ASA and Juniper
SRX)
Rule 1: SRC: 192.168.1.128/28 DST: 10.26.10.0/23 PROTO: TCP PORT: 80
..
• Easy migration for rip-and-replace
• Atomic change sets with full transaction
integrity and auto-rollback
NSO
Juniper SRX
Confidential
• Model driven architecture allows for
optimization of rules
Cisco ASA
VMWare
vShield
38
Tier1 SP in Asia: Security-as-a-Service
Traffic
Shaper
A
A
B
B
IPS/IDS
Content
Filtering
WAN
acceleration
Firewall
Use case:
Scale:
§ Provisioning of L4-L7 security
§ Thousands of business customers
services to VPN customers
Business case:
§ Incremental revenue from new
§ Dozens of Regional POPs
§ Several Datacenters
§ Tens of thousands of DC tenants
business
Confidential
1.27.2016
39
39
High Availability
•
•
•
•
Master-­‐slave architecture based on database replication
One-­‐to-­‐many with hot standby and failover
Synchronous or asynchronous replication
Designed to work with many high-­‐availability frameworks
Read Only
NSO (Slave #1)
Read and Write
NSO (Master)
Service Manager
Device Manager
Service Manager
Device Manager
NSO (Slave #n)
Service Manager
Device Manager
Confidential
40
Scaling With Clustering
•
•
•
•
•
Scale up with device and service NSO instances
Scale out with sets of device-­‐ and service-­‐NSO instances
Groups of devices per device-­‐NSO (e.g. along administrative boundaries)
Groups of services per service-­‐NSO (e.g. along service types)
Service-­‐ and device-­‐instances can be deployed in HA sets
...
...
Confidential
41
A lot more information
§ http://www.tail-f.com/
network-control-system/
• Product literature
• Demos / Videos
• FAQ
Confidential
42
42
NSO Training
Empowering Cisco, Partners & Customers
Advanced NSO training
Basic NSO training
•
•
•
3 days, Deep-­‐dive, Hands-­‐on, Instructor-­‐led, 15 students/class
Prioritization by business rationale and impact on NSO sales & implementation success
FY15 YTD: Trained – 50, Planned/In queue – 100 (as of April 28 2015)
Confidential
•
FY15 YTD: Trained – 410, Planned/In queue – 80 (as of April 28 2015)
43
NSO DevNet
Empowering Cisco, Partners & Customers
• Share and Expand knowledge
• Find answers to difficult questions
• Drive Platform SW innovation
• Central content repository
• Discover general and specific NSO Use Cases and YANG Models
Community members
Trained Field Community
Cisco Business Units
Customers
NSO Solution Architects
Advanced Services
OSS SI, ISV Partners
Internal
Confidential
• Watch +30 training videos
External and future scope
44
http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html
http://www.cisco.com/web/DK/seminarer/materialer.html
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
Tak
Confidential
46