1 Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud Table of Contents Virtualization Fueling New Possibilities Virtual Private Cloud Offerings... 2 Current Approaches to Network Virtualization Force Compromises... 2 Centec A New Way to Approach VPCs... 5 Flexible Deployment Modes... 6 The Centec Difference... 7 Conclusion... 7 Contact Information... 7 Multi- Level Flow Table... 8 External Controller Architecture Internal Controller Architecture... 11
2 Virtualization Fueling New Possibilities Virtual Private Cloud Offerings Over the past five years, organizations large and small have been moving to the cloud to take advantage of the efficiencies and scalability it offers. It s an attractive value proposition instead of having to invest in, build out and manage all the infrastructure required to support all the different applications and services an organization needs, they can turn to a provider to quickly and cost- effectively provision it all for them. The popularity of software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) solutions is a testament to how eager organizations are to simply consume a service, without having to worry about all the underlying complexity required to enable and support it. This is why organizations are increasingly interested in Virtual Private Cloud (VPC) offerings, as they look to consume the underlying capacity they need to deliver all their different business applications and services. Cloud Providers are struggling, however, to deliver VPCs that offer the performance, agility and cost efficiencies they expect from a cloud offering the challenge is in the underlying network. Virtualization is the key to enabling these new offerings, but while compute and storage architectures have been virtualized for some time now, the network has lagged behind. Only recently, with the introduction of software defined networking (SDN) and network function virtualization (NFV) is the network able to support the fast provisioning, flexibility and scale of the compute and storage architectures it is connecting. SDN and NFV solutions separate the management and services, respectively, of the network from its traffic forwarding capabilities, however, how it s done can make all the difference in the results. Cloud Providers need to ensure the SDN solution they choose to support their VPC offerings can enable them to quickly and easily isolate tenants and support all the value- added services and applications their customers need to run their business. This paper reviews the different approaches to network virtualization and the advantages of Centec s hybrid switch solution. Current Approaches to Network Virtualization Force Compromises There are a number of ways Cloud Providers can virtualize the network to provision a VPC offering, each with its own benefits and challenges. At a high level, they can be split into two different approaches: 1. A software overlay approach, where everything is done via software encapsulation, mostly using virtual switches, and the hardware network is generally unaware of virtual networks. 2. Direct fabric programming, where each switch (both hardware and virtual) is programmed directly to operate as they should to handle multiple virtual networks. There are, of course, various implementations of each approach, which are detailed in the table that follows.
3 Software Overlay Virtual Local Area Network (VLAN) Host 1 ToR Switch Agg. Switch White Paper Overview of Approach Pros Cons Core Router Tunnel Header Original Packet Traditional L 2/L 3 Topology Host 11 Simple deployment and high stability. Supported by all networking equipment today. Minimal packet overhead (inserts only 4 bytes of VLAN tag). Can support both virtualized nodes and physical nodes. Moderate visibility original packets visible to management tools. Scalability limitations of 4K VLAN. Difficult to realize the automatic control of the original physical devices. MAC address of VMs need to be visible to physical switches, hence the table size can become the bottleneck of the network. Tunnel Overlay based purely on Software Traditional implementation private network is delivered by encapsulating traffic at Layer 2 Host 1 Agg. Switch ToR Switch Direct Fabric Programming Proprietar y Hardware Fabric Tunnel ToR Switch Overlay based on Hardware Host 1 Core Router Tunnel Header Original Packet Traditional L2/L3 topology Host 11 Most common implementation - private network created entirely via the virtual switch Agg. Switch Core Router Traditional L2/L3 Topology VLAN Tag Tunnel Header Host 11 Hardware independence. High flexibility. Network operation and maintenance team can be separated. High scalability of network. Excellent performance and high reliability. High visibility of the network - including original packets. Good enough scalability and flexibility. easily overloaded can impact performance. o Inefficient lookup on huge flow table. o Network Interface Cards (NICs) can t support fragmentation offloading of TCP because doesn t get the complete TCP packets. o Each server can be seen as a network node can overload cloud controller. Poor network visibility- management tools can t see original packets. Closed system poor compatibility with other devices/vendors. Extremely expensive to build out. Original Packet Network seen as a Fabric, connecting all nodes by a tunnel overlay that applies different policies to different access services.
4 OpenFlow Network Host 1 ToR Switch Agg. Switch Core Router Tunnel Header Original Packet Traditional L 2/L 3 Topology Host 11 Excellent performance. High visibility of the network - including original packets. Simplified management both the virtual and physical network is controlled by the same management platform. Closed system poor compatibility with other devices/vendors because not all devices support OpenFlow. Extensive upgrade all devices (from aggregation to the core) needs to be upgraded to support OpenFlow. Labor Intensive a lot of development required to migrate; a lot of complex rules to manage and maintain. Entire network of OpenFlow swtiches (OpenFlow is an open standard that supports innovative routing and switching protocols). All of these approaches force some sort of compromise: the software approaches offer a lot of flexibility, but have scale, visibility and performance issues; the direct fabric programming approaches deliver scale, visibility and high performance, but are expensive and inflexible often locking customers into using a single vendor s solutions. Requirements for a VPC What is really needed is a hybrid solution that combines the best of both software and hardware approaches to make it easy to deploy and manage a solution that deliver: Flexibility Visibility High Performance Scale Centec took the challenge and developed a solution that allows Cloud Service Providers to leverage network virtualization in a way that takes advantage of both software and hardware benefits to support truly successful VPC deployments.
5 Centec A New Way to Approach VPCs Centec offers a new way to build multi- tenant networks in a SDN VPC platform that brings the best of both software and hardware worlds together, without compromise, by using a ToR- Offload approach. The ToR- offload hybrid solution combines specialized top- of- the- rack (ToR) switches (hardware) and an integrated OpenStack Cloud Controller (software), to provide the benefits of a unified network fabric tunnel overlay - that delivers both the performance and flexibility providers need. Traditional L ayer 2~3 Agg. Switch Core Router ToR Switch S DN Host 1 Vlan Tag Tunnel Header Host 11 Original Packet The distributed design of the Centec solution offloads many of the process intensive operations from the to the ToR switches. The ToR switches operate as super NICs, using Centec s next- generation switching silicon to deliver optimal performance and offload the. The Controller, which is a plug- in, manages all the ToR switches, via a standard OpenFlow interface, treating them as part of a hypervisor. Centec s ToR- offload solution requires the Open instance on the compute node only maintain local VM information to keep its flow table small. All remote VMs not running on the compute node would be managed and maintained by the ToR switch. The role of the OvS instance is to forward packets within the local system; packets not matching local VMs will be forwarded via the NIC to the ToR switch (pre- fragmenting it if necessary). The ToR switch will use multiple table lookups to perform the following functions: Identify the appropriate network instance ID and tenant instance ID Rate- limit packets, if required Track statistics per VM/network/tenant
6 Perform security checks Determine whether the packet will be forwarded via Layer 2 bridging or Layer 3 routing Find the destination ToR and send it: o o White Paper Directly to that ToR. Via a ToR- to- ToR tunnel. In this instance, the destination switch will conduct similar functions - de- encapsulating the packet and forwarding it to the appropriate destination OvS, which will send it to the right VM. To support the virtual distributed Layer 3 gateway, the ARP proxy in each ToR switch will tell the VMs that their gateway s MAC address is attached in the ToR switch. This scheme solves the bottleneck issues of Layer 3 gateways in current OpenStack platforms. More information on the multi- table implementation is covered in the Appendix. Flexible Deployment Modes The Centec ToR- Offload SDN solution doesn t rely on private protocols or have any special requirements for the aggregation and core devices in the network, so it can easily integrate within any cloud environment. There are two primary ways to deploy the solution, based on a Cloud Provider s requirements. They can deploy using an: 1. External Controller: Centec can integrate with any external Controller that is compliant with OpenFlow protocols. With this architecture, each ToR switch is controlled by the Controller, via an OpenFlow interface. The ToR switches are only responsible for forwarding traffic, with the application layer above the OpenFlow Controller taking over operations, such as translating the messages into the flow table. Communications between the Controller and ToR switches include OpenFlow and open virtual switch database (OVSDB) messages, which set up the private network (tunnels). Only Query messages from the OVS Agent in the compute node are transmitted to the Centec Plug- in to lookup the VLANID/TunnelID. Except that, there is no any other network message between compute node and the Centec Plug- in. Powered by Centec s next- generation switching silicon, with innovative N- Flow architecture to deliver: Application- oriented flow tables, with programmable match fields and actions 32K flows, without expensive, inefficient external TCAM Interoperability with leading SDN controllers and switches, due to OpenFlow support 2. Internal Controller: In this architecture, the ToR switches take on some networking operations to reduce processing required by the control nodes. The Cloud Platform sends abstract data to the ToR switches, which have a Cloud Agent, with a DHCP Proxy dedicated to translating all the broadcast DHCP packets into unicast packets to be sent to the DHCP Server. They also have an integrated ARP Proxy responsible for replying to the ARP requests from VMs to significantly reduce the amount, and impact, of broadcast traffic on the network nodes. There is another purpose about ARP Proxy, which can be used to assist virtual distributed l3 gateway support.
7 The Centec Difference The Centec ToR- offload solution uses tunnels to abstract the network and easily isolate tenants, while offloading the compute intensive operations (e.g. encapsulation/de- capsulation) to the ToR switch to ensure optimal performance. By reducing pressures on of the control plane, the network can be quickly scaled to address changing needs. The solution offers: Flexibility requiring no special networking equipment, beyond the ToR switches, and supporting open, standards based protocols, ensures the solution can easily integrate into a variety of environments and meet the specific needs of different cloud deployments. Simplified Management- Abstracting the complexity of the network (including table mappings) enables Cloud Providers to quickly and easily manage the VPC offerings and roll out value- added network services to meet customer demands. It provides visibility into the network (including the original packets) to make it easy to understand what is going and quickly troubleshoot any issues. High Performance and Scale offloading intensive network processing functions, such as flow table lookup, tunnel encapsulation/de- capsulation, and quality of service (QoS) to ToR switches using Centec s next- generation silicon ensures optimal performance and scale. By minimizing broadcast, multicast and unknown unicast traffic throughout the network, the solution eliminates unnecessary bandwidth consumption and potential disruptions to maximize uptime. Lower Costs the solution is easy to deploy there is no need to change the original network architecture and manage, leveraging a cost- effective blend of hardware and software that drives down both CAPEX and OPEX costs. Conclusion The Centec hybrid ToR- offload solution gives you the flexibility of a software overlay, with the performance of hardware. Abstracting the complexity, the Centec solution makes it easy for Cloud Providers to deploy and manage VPC offerings for their customers. With OpenFlow ToR switches the solution performs all the necessary acceleration functions in hardware and manages all the coordination and complexity to make it easy to make adjustments as needs change. With Centec, Cloud Providers can support their VPC offerings, quickly and easily isolating tenants and supporting all the value- added services and applications their customers need, to increase satisfaction and loyalty and drive new and recurring revenue. Contact Information Address: Suite 4F- 13/16, Building B, No.5 Xing Han Street, Suzhou Industrial Park, Jiang Su Province, China, Postal Code: Tel: Fax: Business: Support:
8 Appendix Centec s use of its own merchant silicon in its switches allows it to support advanced capabilities that enable new features in today s data centers. Unlike typical merchant silicon solutions, Centec is able to provide lower- cost solutions that support advanced features, such as multi- level flow tables that scale to meet a cloud service provider s needs. Here we cover some of the highlights of Centec s hybrid SDN solution for VPCs and provide more details around flow table management and controller orchestration. Multi- Level Flow Table Centec supports customization, with programmable match fields and programmable actions to meet different requirements. This example depicts the multi- stage flow table, which works to provide 10K tenants up to 32K VMs. Identification of VM, Network and Tenants Per VM/Tenant Policy Global Policy Layer2 forwarding Layer3 forwarding Table Feature ID 0 VM Identification Network Identification Tenant Identification Tunnel Identification Statistics and QoS operation- based on VM/Tenant 1 Security or QoS based on VM, subnet or Tenant To determine the next stage Table - Table 2 or Table 3 2 Layer2 forwarding Operational details: 3 Layer3 forwarding a) On packet entry into the ToR, the switch will perform lookup in the 1 st flow table (table ID #0) with the look up key of (a) VLAN (identifying the tenant), (b) MACSA (MAC Source Address which identifies both the VM and tenant) or (c) port + MACSA (identifying the VM and tenant by checking the VM and port bindings). b) The metadata of the lookup result will be used as network instance ID and tenant instance ID. The lookup result may include a rate- limit pointer and a statistics pointer to perform rate- limit or collect statistics per VM/network/tenant as well as perform a per VM/network/tenant security check. c) In the next step, the look- up operation is performed on the 2 nd flow table (table ID #1). Global network security checks are performed. As well, the look- up result will decide that whether Layer 2 bridge forwarding or Layer 3 routing will be performed. If it s Layer 2 case, it will go to the 3 rd flow table (table ID #2). Otherwise the 4 th flow table (table ID #3) will be used for the next step. d) After the look- up operation on the 3 rd or 4 th level of flow tables, the packet may be sent to a remote ToR switch via a ToR- to- ToR tunnel. If needed, the packet will be encapsulated in the tunnel and sent to the physical network. Before the encapsulation, the original VLAN tag will be removed if it ever existed. e) After the encapsulated packet arrives at the remote ToR switch, the remote ToR switch will look up the 1 st flow table with a key of the tunnel IP (source+dest) and encoded tunnelid. Then the network instance ID and tenant instance ID will be retrieved. The same process will be applied to
9 the next 2-4 flow tables. After the whole process, the tunnel header will be stripped. Optionally, a VLAN tag may be inserted. f) Finally, the inner packet will be sent to the target compute node. Inside the target compute node, the packet will be sent to the final VM after the look- up operation in the internal flow table of OVS.
10 External Controller Architecture The solution can be integrated with an external Controller, which manages the ToR switches via an OpenFlow interface. The following depicts this architecture: Client OpenStack Horizon Nova Tenant Scripts Standard API Server Centec Plugin Rabbit MQ (Query) Openflow Controller VM VM VM VM... OVS agent VM VM VM VM... OVS agent OVS Bridge(local flow table only) NIC Host OpenFlow Message OVS Bridge(local flow table only) NIC Host OpenFlow Agent Remote FlowTable Security Group QoS L3 Gateway Write Flow Table Centec SDN TOR Physical Network Write Flow Table Centec SDN TOR OpenFlow Agent Remote FlowTable Security Group QoS L3 Gateway
11 Internal Controller Architecture When deployed using the internal Controller, the ToR switches are used to offload network operations and minimize broadcast messages. The following depicts this architecture: Client Horizon Nova Tenant Scripts Standard API Server Centec Plugin Rabbit MQ (Query) VM VM VM VM... OVS agent JSON RPC VM VM VM VM... OVS agent OVS Bridge(local flow table only) NIC Host OVS Bridge(local flow table only) NIC Host Centec Cloud Agent OpenFlow Message OpenFlow Agent Remote FlowTable Security Group QoS L3 Gateway Write Flow Table SDN TOR Physical Network Centec Cloud Agent OpenFlow Message OpenFlow Agent Write Flow Table SDN TOR Remote FlowTable Security Group QoS L3 Gateway
Enabling Solutions in Cloud Infrastructure and for Network Functions Virtualization Gateway Use Cases for Virtual Networks with MX Series Routers 1 Table of Contents Executive Summary... 3 Introduction...4
Industrial Ethernet: A Control Engineer s Guide Abstract As part of a continuing effort to make their organizations more efficient and flexible, manufacturers are rapidly migrating to Industrial Ethernet
Introduction Mobility, cloud, and consumerization of IT are all major themes playing out in the IT industry today all of which are fundamentally changing the way we think about managing IT infrastructure.
ARISTA WHITE PAPER Software Driven Cloud Networking Arista Networks, the leader in high-speed, highly programmable data center switching, has outlined a number of guiding principles for integration with
W h i t e p a p e r NVGRE Overlay Networks: Enabling Network Scalability for a Cloud Infrastructure Table of contents Executive Summary.... 3 Cloud Computing Growth.... 3 Cloud Computing Infrastructure
Next Generation Security with VMware NSX and Palo Alto Networks VM-Series TECHNICAL WHITE PAPER Summary of Contents Introduction... 3 Intended Audience and purpose of document.... 3 Solution Overview....
White Paper Building a Private Cloud Cisco and Microsoft Optimized Infrastructure Strategies By Mark Bowker, Senior Analyst April 2014 This ESG White Paper was commissioned by Cisco and Microsoft and is
Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012 Table of Contents 2 Executive Summary 3 The Need for a New Network Architecture 4 Limitations of Current Networking
Network Monitoring with Software Defined Networking Towards OpenFlow network monitoring Vassil Nikolaev Gourov Master of Science Thesis Network Architectures and Services Faculty of Electrical Engineering,
Microsoft System Center 2012 R2 Why Microsoft? For Virtualizing & Managing SharePoint July 2014 v1.0 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views
Implementing a Hybrid Cloud Strategy Using vcloud Air, VMware NSX and vrealize Automation TECHNICAL WHITE PAPER Table of Contents Purpose and Overview.... 3 Executive Summary.... 3 The Conceptual Architecture....
Introduction to InfiniBand for End Users Industry-Standard Value and Performance for High Performance Computing and the Enterprise Paul Grun InfiniBand Trade Association INTRO TO INFINIBAND FOR END USERS
WHITE PAPER Introduction... 2 Reduce Tool and Process Sprawl... 2 Control Virtual Server Sprawl... 3 Effectively Manage Network Stress... 4 Reliably Deliver Application Services... 5 Comprehensively Manage
CHAPTER 1 LAN Design Objectives Upon completion of this chapter, you will be able to answer the following questions: How does a hierarchical network support the voice, video, and data needs of a small-
WHITE PAPER 1ntroduction... 2 Zenoss Enterprise: Functional Overview... 3 Zenoss Architecture: Four Tiers, Model-Driven... 6 Issues in Today s Dynamic Datacenters... 12 Summary: Five Ways Zenoss Enterprise
Windows Server 2012 R2 Evaluation Guide Copyright Information 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including
Institut für Technische Informatik und Kommunikationsnetze Kirila Adamova Anomaly Detection with Virtual Service Migration in Cloud Infrastructures Master Thesis 263-8-L October 22 to March 23 Tutor: Dr.
A P P L I C A T I O N S A WHITE PAPER SERIES IMPLEMENTING A CLOUD COMPUTING MODEL IS A MAJOR CHALLENGE. ENTERPRISES NEED TO TAKE A HOLISTIC APPROACH TO ENSURE ACCESSIBILITY, FLEXIBILITY AND SECURITY. Journey
The Road to Cloud Computing How to Evolve Your Data Center LAN to Support Virtualization and Cloud Introduction Cloud computing is one of the most important topics in IT. The reason for that importance
Putting the cloud to work for your organization. A buyers guide to cloud solutions. What s in this guide for you? If you re thinking about bringing the cloud into your business but aren t sure where to
Why Service Providers Need an NFV Platform Strategic White Paper Network Functions Virtualization (NFV) brings proven cloud computing and IT technologies into the networking domain to help service providers
BSM and Enterprise IT Infrastructure Monitoring Guide & Reference 1. Adopting Service-oriented Monitoring for Your Evolving IT Infrastructure 2. Giving Your Constituents Real-time Visibility to Business
Whitepaper The ABC of Private Clouds A viable option or another cloud gimmick? Although many organizations have adopted the cloud and are reaping the benefits of a cloud computing platform, there are still
ericsson White paper Uen 284 23-3263 February 2015 A new era of PaaS speed and safety for the hybrid cloud This white paper presents the benefits for operators and large enterprises of adopting a policydriven