SDN For the Rest of Us. Jason Nash, AHEAD

Transcription

1 SDN For the Rest of Us Jason Nash, AHEAD

2 Points We ll Hit What is Software Defined Networking? But I m not Netflix! What real benefits you gain Common use cases

3 Why Are We Here? Are you a VMware or Cisco customer? How many times have they said NSX or ACI to you? Probably too many.

4 What Does Software Defined Mean? Software Defined allows us to define and apply policies in software rather than on individual hardware appliances

5 What Does It NOT Mean? Software Defined does not mean that everything must be done in software!

6 Examples of Software Defined Software Defined Computing Virtualization We no longer worry about underlying physical server capabilities Software Defined Storage Storage VMs are assigned policies for resiliency, backup, replication, etc and are enforced via underlying infrastructure

7 Software Defined Networking Software Defined Networking (SDN) is enabling organizations to accelerate application deployment and delivery, dramatically reducing IT costs through policy-enabled workflow automation. SDN technology enables cloud architectures by delivering automated, on-demand application delivery and mobility at scale.

8 What? You don t deploy thousands of instances? BUT I M NOT NETFLIX!

9 Plenty of Benefits Don t have to be one of those that deploys many instances of their applications Most of the world isn t like that Other tangible benefits

10 Agility and Standardization Being faster isn t just for the big boys It benefits everyone Cut down deployment and test time

11 Agility and Standardization SDN enhances automation Automation enhances standardization Standardization is a good thing

12 The Most Common Use Case DATA CENTER SECURITY

13 The Problem with Data Center Security Applying basic security policies within a DC has added complexity Extra segmentation Changing data flows Service modules/extra hardware

14 And Then Virtualization Made it even more difficult Traffic may not leave virtualization host Easier to make administrative mistakes Additional overhead

15 Band-Aids at Best Been several attempts to integrate good security in to the DC and virtualization Virtual firewall appliances Integrated network security functions Storage/encryption overlays Often create more problems than they solve!

16 Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Internet Internet Little or no lateral controls inside perimeter Insufficient Operationally Infeasible

17 The Big Two. WHEN SALES REPS ATTACK

18 State of SDN Technologies Two major players in the commercial/enterprise space right now Cisco ACI VMware NSX There are others but not widely seen

19 Cisco ACI (App Centric Infra) Created by Cisco through a spin-out of Insieme Is a combination of both hardware and software Requires Nexus 9K switches Physical APICs (Controllers) Network services provided by integrated external hardware and software

20 Cisco ACI Concepts Benefit of ACI is that it works across physical and virtual systems Some compromises on virtual Multi-hypisor Create EPGs (End Point Groups) and contracts to establish communication and services

21 Cisco ACI Concepts Integration of services is done via device packages Convert ACI policies to native device configurations Anyone can write a device package Key is the ACI is still network-centric by design

22 VMware NSX Came from VMware's acquisition of Niciri Product was called NVP (Network Virtualization Platform) Was primarily focused on OpenStack Combines parts of NVP and parts of VMware's vcloud Network & Security suite Distributed Firewalling Edge Services

23 VMware NSX Concepts Software only solution No hardware appliances Really only functions in a virtual environment Some extension to physicals via VXLAN gateways

24 The NSX Stack Consumption Services (Optional) Management Plane Control Plane vcenter Server NSX Controllers VXLAN DLR Message Bus NSX Manager User World Agent Kernel Modules Data Plane vcac Cloud Management Platform DFW Logical Router Control VM vsphere Distributed Switch Edge Service Appliances

25 Logical switching achieved through overlays L2 Frame Outer MAC HDR Outer IP HDR UD P HDR Overlay HDR L2 Frame L2 Frame Overlay Encapsulated Frame 1 VM Sends a standard L2 Frame 2 Source Hypervisor adds overlay/encapsulation 3 4 Physical Network forwards Destination Hypervisor frame as standard IP de-encapsulates headers frame Overlay technologies encapsulate L2 packets to isolate traffic flows. Use network isolation for: Multi-tenancy Fault containment Separating highly secure application CONFIDENTIAL infrastructures 5 Original L2 Frame delivered to VM

26 Distributed routing OSPF BGP ISIS A Logical Router Control VM is deployed and exchanges routing updates with peers. The NSX admin creates a new logical router. The logical router VM sends route updates to the NSX controller NSX routing: Highly available routing with fully distributed data plane Distributed in each hypervisor Central configuration Controllers are clustered can scale-out based asconfidential needed which distributes the routes to each hypervisor data plane.

27 Distributed firewalling An NSX network is made up of distributed network elements embedded in each hypervisor, enabling each VM to have its own firewall. NSX firewalling: fully distributed, embedded in every hypervisor in the data center Firewalls/policies provisioned simultaneously with VMs Policies move with their VMs Retiring a VM deprovisions its firewall no possibility of stale rules CONFIDENTIAL

28 How Do You Select? Vendors have very different visions and methods of implementation Also have varying dependency requirements VMware NSX for vsphere Cisco requires Nexus 9K switches Etc Many times functionality does not directly overlap

29 How Do You Select? Recommend going through a PoC/Pilot process Define your use cases! Test integration with your existing environment Applications Automation/Cloud Management Platform Monitoring tools Operational processes

30 How SDN Can Help? SDN technologies help secure the DC in a few ways Policy-based management Easy integration Less reliance on specific hardware infrastructure Greater flexibility Much simpler to perform audits Audit policies, not devices

31 Policy-Based Management Managing individual servers and end-points is too cumbersome It s all about the application! Ease configuration by creating standardized policies and apply them to groups Key is standardization!

32 Easy Integration SDN can support and expand the scope of existing tools ACI offers device packages for many non-cisco functions NSX supports 3rd party integration that scales as your environment grows Gives you ability to leverage existing knowledge, experience, and tools

33 Less Reliance on Specific Hardware This does not mean you go buy the cheapest gear available By abstracting policy definition from policy application it makes transitions easier Change from one supported firewall to another Let the SDN system reconfigure policy application

34 Greater Flexibility No longer tied to complex traffic flow configurations Tie security policy application in to hypervisor or network fabric Scale-out performance with same feature set

35 What About Compliance? SDN technologies and products are a set of tools They do not immediately solve compliance issues What they CAN do is make meeting requirements easier Documented reference architectures Easier use of mixed environments

36 PREPARING TO JUMP IN

37 Needed Skills? SDN brings networking down in to the compute and application layers Requires cross-sharing of knowledge by both the VM and application admins as well as network admins

38 Deployment Greenfield deployment of any SDN technology is obviously easier Can be implemented in existing environments Test Be methodical

39 Other Considerations Monitoring tools may not be ready Won t have the visibility you might expect Troubleshooting can be tougher If everything is in a VXLAN packet what can you see? How do you troubleshoot packet flows and performance issues?

40 Software Defined Networking SAMPLE USE CASES

41 Use case 1: Network segmentation NSX Data Center Controlling traffic within a network Perimeter firewall HR Group Finance Group DMZ/Web Control traffic between groups within a network Secure traffic based on logical grouping rather than physical topology Create network segments flexibly even between systems on the same VLAN DMZ/Web App App DB DB Services/Management Group Services Mgmt

42 Use case 2: Multi-tenancy with segmentation and advanced services Tenant 1 Tenant 2 Perimeter firewall Perimeter firewall HR Group Finance Group DMZ/Web No traffic between networks HR Group DMZ/Web DMZ/Web Finance Group App App App DMZ/Web DB DB DB Services/Management Group Services Services/Management Group Mgmt Services isolation Mgmt App DB Completely separate unrelated networks Add advanced services based on virtual network, network segment, or Security Group

43 Use case 3: VDI Traditional Data Center APP1 Web 1 App 1 APP2 Web 2 App 2 NSX Data Center Eng è Web 1 Eng è App 1 Eng è Eng net Eng è Web 2 External 1* è Web 1 Eng è App 2 External 2* è Web 2 Ext1 è Web 1 Ext1 è App 1 Ext2 è Web 2 Ext2 VLANs è App 2 Engineering APP1 APP2 Web 1 App 1 Web 2 App 2 External Contractor 1 External Contractor 2 Engineering Engineering External Contractor 1 External Contractor 1 External Contractor 2 Simplify VDI deployments Eliminate complex policy sets and topologies for different VDI users Align policies to logical grouping Decouple network topology from VDI security External Contractor 2

44 Enhanced DR

45 Questions? Jason Feel free to reach out after the session for any questions.