Cisco Open Network Environment (Cisco ONE) and Software Defined Networking (SDN)

Cisco Open Network Environment (Cisco ONE)
and
Software Defined Networking (SDN)
Andy Vallely
Solutions Architect
EMEAR Education Team
DC SEVT Presentation; 13 November 2012
Cisco Confidential
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Cisco ONE Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Expose Network Value
Automation, Monitoring, Programmability
Program for
Optimized
Experience
POLICY
Orchestration
Network
ANALYTICS
Harvest Network
Intelligence
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Basic Definitions
What Is Software Defined Network (SDN)?
“…In the SDN architecture, the control and data
planes are decoupled, network intelligence and state
are logically centralized, and the underlying network
infrastructure is abstracted from the applications…”
Note: SDN is not mandatory for network programmability nor
automation
Source: www.opennetworking.org
What is OpenStack?
Opensource software for building public
and private Clouds; includes Compute (Nova),
Networking (Quantum) and Storage (Swift)
services.
Note: Applicable to SDN and non-SDN networks
Source: www.openstack.org
What Is OpenFlow?
Open protocol that specifies interactions between
de-coupled control and data planes
Note: OF is not mandatory for SDN
Note: North-bound Controller APIs are vendor-specific
What is Overlay Network?
Overlay network is created on existing network
infrastructure (physical and/or virtual) using a network
protocol. Examples of overlay network protocol are:
GRE, VPLS, OTV, LISP and VXLAN
Note: Applicable to SDN and non-SDN networks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Customer Insights: Network Programmability
Research/
Academia
Experimental
OpenFlow/SDN
components for
production
networks
Network
“Slicing”
Massively Scalable
Data Center
Customize with
Programmatic
APIs to provide
deep insight into
network traffic
Network Flow
Management
Cloud
Automated
provisioning and
programmable
overlay,
OpenStack
Scalable
Multi-Tenancy
Service Providers
Policy-based
control and
analytics to
optimize and
monetize
service delivery
Agile Service
Delivery
Enterprise
Virtual workloads,
VDI, Orchestration
of security profiles
Private Cloud
Automation
Diverse Network Programmability Requirements Across Segments:
Automation, Monitoring & Flow Programmability
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Network Programmability Models
CLI, SNMP, Netflow, …
Control Plane
Data Plane
1 Programmable APIs
Vendorspecific
APIs
Applications
Control Plane
Data Plane
Vendor
Specific
(e.g. onePK)
2a Classic SDN
Vendorspecific
APIs
OpenFlow
Applications
Controller
Data Plane
Vendor
Specific
(e.g. onePK)
2b Hybrid “SDN”
Vendorspecific
APIs
OpenFlow
Applications
Controller
Control Plane
Data Plane
Vendor
Specific
(e.g. onePK)
Openstack and Network Overlays Apply to All Models (Physical/Virtual)
Custom Features Can Be Built
Vendorspecific
APIs
Applications
Virtual Control Plane
Virtual Data Plane
Overlay
Protocols
(e.g. VXLAN)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
3
Network Virtualization/
Virtual Overlays
Control Plane
Data Plane

Evolution of the Intelligent Network
Preserve What’s Working Evolve for Emerging Requirements
• Resiliency
• Scale and Security
• Rich feature-set
+
• Operational Simplicity
• Programmability
• Application aware
Evolve the Network for the Next Wave of Application Requirements
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Cisco Open Network Environment
Industry’s Most Comprehensive Networking Portfolio
Hardware + Software Physical + Virtual Network + Compute
1.
Platform
APIs
Network
One Platform Kit (onePK)
- Programmatic APIs for Network
HW (IOS, IOS-XR, NX-OS)
Applications
2. a
Controllers
And
Agents
Physical Virtual
SDN:
- Controller SW (OpenFlow, onePK)
- OpenFlow 1.x support
3.
Virtual
Overlays
Open Clouds with
Nexus 1000V
- Multi-hypervisor
- Multi-service
- Multi-cloud
- Openstack support
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

onePK & OpenFlow
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

OpenFlow is Built on onePK
NETCONF Agent CIM Agent
Element
Interface
OpenFlow
Agent
ONE Agent Framework (proposed agents)
Puppet Agent Prime agent Custom Agent onePK Mgmt
Apps
Agents
onePK Presentation APIs (C, Java, Python, ...)
Comm libraries
Comm libraries
onePK Abstraction APIs
Developer U6li6es Discovery Policy Rou6ng Datapath Ext…
Cisco Network Opera6ng System (IOS, IOS-­‐XE, IOS-­‐XR, NX-­‐OS) (PlaAorm PI Code)
Cisco Network Opera6ng System (IOS, IOS-­‐XE, IOS-­‐XR, NX-­‐OS) (PlaAorm PD Code)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
onePK
Client
Process
boundary
onePK
Server

© C97-708996-00 2011 Cisco and/or © 2012 its affiliates. Cisco and/or All rights its affiliates. reserved. All rights reserved.
Cisco Confidential 11

C97-712303-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
12

“An open solution for VM
mobility in the Data-Center”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A solution to build virtual
topologies with optimum
multicast forwarding behavior”
“A way to optimize link utilization in my network
enhanced, application driven routing”
“A means to get assured
quality of experience for
my cloud service offerings”
Simplified
Operations
“A platform for developing new
control planes”
“A means to scale my fixed/mobile
gateways and optimize
their placement”
“A way to optimize broadcast TV delivery
Enhanced
by optimizing cache placement and
cache selection”
“A way to distribute policy/intent, e.g. Agility
for DDoS prevention, in the network” “A way to configure my entire network
as a whole rather than individual
devices”
“An open solution for customized flow forwarding
control in and between Data Centers”
“A solution to build a very large
scale layer-2 network”
New
Business
Opportunities
“Develop solutions at software speeds: I don’t
want to work with my network vendor or go
through lengthy standardization.”
“A means to do
traffic engineering
without MPLS”
“A way to build my own
security/encryption solution”
“A solution to get a global view of the
network – topology and state”
“A way to
scale my
firewalls and
load
balancers”
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

The Big Picture
• Open Network Environment –
Complementing the Intelligent Network
Preserve what is working:
Resiliency, Scale and Security,
Comprehensive feature-set
Evolve for Emerging Requirements:
Operational Simplicity, Programmability,
Application-awareness
• The Open Network Environment
integrates with existing infrastructure
Software Defined Network concepts are a
component of the Open Network Environment
Programmatic
APIs
Open
Network Environment
Agents and
Controllers
Simplified Operations
Enhanced Agility Network Monetization
The OpenFlow protocol can be used to link agents and controllers, and as such is component of
SDN as well
Network
Virtualization
Infrastructure
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

• What Could Possibly Go Wrong?
• Plenty!
• One MSDC estimates that ~10% of new
switches are cabled incorrectly
• Cascading effect: bad cabling -> bad autoconfig
-> bad network behavior
• The network needs to save us from ourselves.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

CLI
SNMP
HTML
XML
AAA
CDP
Syslog
Netflow
Routing Protocols
Span
Traditional Approach
IOS / XR / SE / NXOS
Monitoring
Policy
Interface
Discovery
Routing
Data Plane
Actions
Events
App
EEM (TCL)
New Paradigm
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
App
C
Java
Anything you can think of

Applications
That YOU
Create
onePK
Any Cisco
Router or
Switch
Flexible development environment to:
• Innovate
• Extend
• Automate
• Customize
• Enhance
• Modify
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

C97-712303-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18

IOS / XE
(Catalyst, ISR, ASR1K)
C, JAVA Program
onePK API Presentation
onePK API Infrastructure
NXOS
(Nexus Platforms)
IOS XR
(ASR 9K, CRS)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Process Hosting
Network OS
Container
onePK Apps
Blade Hosting
Blade
Network OS
Container
onePK Apps
Write Once, Run Anywhere
End-Point Hosting
onePK
Apps
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
External
Server
Network OS

Local firstorder
analysis
Network OS
Time Scale (seconds)
onePK Application
“Agent”
Frequent local actions
Any communication protocol
(xmpp, OF, CIM, REST, etc)
Centralized
Management /
Orchestration Application
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Time Scale
(minutes)
Centralized
coordination
Consolidated
central reporting.
Meta- and
exception-analysis.

C97-712303-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
22

Base Service Set Description
Data Path Provides packet delivery service to application: Copy, Punt, Inject
Policy
Provides filtering (NBAR, ACL), classification (Class-maps, Policy-maps), actions (Marking,
Policing, Queuing, Copy, Punt) and applying policies to interfaces on network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Element
Get element properties, CPU/memory statistics, network interfaces, element and interface
events
Discovery L3 topology and local service discovery
Utility
Developer
Syslog events notification, Path tracing capabilities (ingress/egress and interface stats,
next-hop info, etc.)
Debug capability, CLI extension which allows application to extend/integrate application’s
CLIs with network element
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Element
System
Interfaces
Discovery
CPU, Memory, Platform, Serial #, Versions, Uptime,
Routing
Location, OIR, CLI Changes
Port, Slot, BW, MTU, TX/RX, BPS, PPS, Errors, Other Stats,
QoS
Config, Link Changes
CDP, Security Topology Graph, Edges, Nodes, Topology Changes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Application

Element
System
Interfaces
Discovery
Location
IP address, MTU, Clear Stats, Shut/No Shut
Filters
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Application

New Switch
Cable Error: G0/3 to G0/1 on
N3K-main. Should be G0/3 to G0/3
on N3K-main.
Sorry. Fixed it.
Cabling Verified. Starting
interface config
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

application
2. Get Wiring Diagram
3. Compare Actual
to Diagram
4a. Send/Receive XMPP
XMPP
1. Get Actual Topology
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
TFTP
hostname-topo

application
5. Apply Config
4b. Get Config For Good
Interfaces
3. Compare Actual
to Diagram
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
TFTP
hostname-Ethernet1-1-conf

application
1. Application Could Run on Switch
2. Works Out of The Box
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

PoAP
• Automated base
config
• OVA download
Containers
• Run apps in virtual
machines on the
switch
onePK
• Apps get deep,
programmatic access
to device
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Policy
Routing
QoS
Security
RIB, Next-Hop, metric, AD, scope
(VRF), Changes
Configured Classes
Configured ACLs
Application
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

Policy
Routing
QoS
Security
Static routes
Service-Policies (Police, Mark, Shape,
Queue)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
ACLs
Application

Get Routes
Set Routes
Sample Code.
Subject to Change
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

Example: Custom Routing
Data Center Traffic Forwarding Based on a Custom Algorithm
ISR Pricing 2
Route A Route B
$1
$2
$3
$1
$2
$3
1
3
App
Destination
Route A
Route B
Unique Data Forwarding Algorithm Highly Optimized
for the Network Operator’s Application
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
onePK

Initial Setup: Default routing using EIGRP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

Routing for Dollars: Application driven routes installed in network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

Tracing the application installed route – using the developer and element services
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

Data Plane
Copy or Punt Packets
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Application

Data Plane
Inject New or Modified Packets
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Application

TRY(rc, onep_dpss_register_for_packets(
ne1,
dpss,
targ_left,
interesting_class,
ONEP_DPSS_ACTION_PUNT,
encrypt_callback,
(void *)intf_left,
&reg_handle), "Register for packets");
Sample Code
Subject to Change
Where traffic goes next
Defines traffic of interest
Action to take on
interesting traffic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

Problem: Customers want custom encryption on specific traffic types
Value proposition: Punt traffic of interest, encrypt, and re-inject.
1. Policy APIs on ingress router are set to
punt telnet and syslog to app
2. App encrypts punted traffic and re-injects
into data path.
3. Policy APIs on egress router punt telnet
and syslog to app
4. App decrypts punted traffic and re-injects
into data path.
5. Traffic that does not match policy passes
through unencrypted.
onePK application
onePK application
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
telnet
http
5
http
telnet
encrypt http
1
encrypt
2
Unsecure
Network
3
encrypt
telnet
4

What Client Sees
What Wireshark Sees
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Security Five Ways
Code Isolation
Strong Typing
AAA (PKI)
Encryption (TLS)
Code
Security
Runtime
Security
App
Security
onePK
Digital Signing
Certification Process
Container
Security
Admin
Security
CLI Control
Resource Allocation
Isolation
Resource Consumption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

BUILD, AUTOMATE, IMPROVE
SPEED & FASTER ADAPTABILITY
EXTEND
REVENUE & COST SAVINGS
SIMPLICITY, INTEGRATION & THE POWER OF CHOICE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

onePK Sample Applications
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46