White Paper NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud

NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud NEC Corporation of America www.necam.com

Introduction NEC ProgrammableFlow Network Fabric leverages the OpenFlow protocol to create a smart, simple, secure and scalable solution for the enterprise datacenter. The ProgrammableFlow network fabric provides an open data plane where OpenFlow enabled switches can be interconnected with any traffic-optimized topology. In contrast to existing fabric technologies, ProgrammableFlow provides multipath at both layer-2 and layer-3 for interconnecting end systems and delivering end-to-end high performance and reliability. The network fabric operation is simplified by leveraging NEC s unique network virtualization solution and API based automation capabilities. Deployed as either a data center fabric or as a virtualization layer for a variety of service specific, Programmable Network Fabric is an agile solution to incrementally grow the network to fit traffic patterns and business needs. OpenFlow: Open Software-defined Networking OpenFlow is an open Software-Defined Networking architecture designed primarily to separate the data path and the control path. In OpenFlow, all networking logic and policies are handled by a controller running in a Commercial-off-the-shelf (COTS) server while the hardware switches only execute the data plane tasks. OpenFlow enables a network to be built using multi-vendor switches wherein applicationspecific network functionalities can be programmed into the controller software and deployed using multi-vendor hardware switches. The OpenFlow specification is standardized by the Open Networking Foundation (ONF),). The ONF Board of Directors includes Deutsche Telekom, Facebook, Google, Microsoft, NTT, Verizon and Yahoo!. Founding member NEC, along with 50 other leaders in the networking industry, have closely collaborated to develop the OpenFlow specification. OpenFlow-based Networks feature Programmable Network In a standard network, the packets being forwarded (the data path) and the forwarded decisions (the control path) are both handled by the router or switch. In the OpenFlow approach, these functions are separated. The router or switch handles the data path while the control path is handled by a separate, programmable controller. The switch and the controller communicate via the OpenFlow standard. This architecture introduces a lot of flexibility into the network and simplifies management, provisioning, and configuration of the network devices. Adoption of an OpenFlow architecture results in reduced cost and complexity and accelerated innovation, while increasing security, stability, and availability of the cloud and other network-enabled services. OpenFlow also enjoys the benefits of an open architecture approach. While the Ethernet standard is well-established, each vendor s implementation is somewhat different, and commercial switches and routers of today typically do not provide an open software platform that supports innovation or customization. An open-systems overlay over Ethernet, OpenFlow lowers the entry barrier for new ideas, allows customers to avoid vendor lock-in, and could help increase the rate of innovation in the network infrastructure space. OpenFlow and the NEC ProgrammableFlow Solution deliver operational simplicity and flexibility The NEC ProgrammableFlow network architecture and product family is a datacenter class networking fabric developed by NEC. Designed as a simplified architecture for data center and cloud networks, ProgrammableFlow leverages the OpenFlow protocol to create Software-Defined Network (SDN) virtualization, allowing customers to easily deploy and manage virtualized network infrastructure. The NEC ProgrammableFlow product family is comprised of a high-performance controller, an integrated network visualization monitor, and multi-layer packet-forwarding hardware switches. ProgrammableFlow offers an open network fabric solution which enables a programmable and dynamic approach to create, deploy, and edit virtualized networks over OpenFlow-enabled switches. Operational simplicity, flexible and smart network programming, network agility to support virtual infrastructure, scale-out performance, and reliability are some of the key characteristic advantages of the ProgrammableFlow network fabric. NEC ProgrammableFlow: An Open And Flat Network Fabric ProgrammableFlow provides an open architecture to build the network fabric. In this architecture, all switches are programmed leveraging the OpenFlow interface and protocol. One can build the fabric using switches from any vendor as long as they support the OpenFlow protocol. ProgrammableFlow controller also has a unique virtualization ability to create a fabric over heterogeneous switches supporting different port densities and speed. Further, the fabric is open in terms of switch interconnection topology. Depending on the traffic type, traffic policies, and bandwidth or delay requirements, one can build an open fabric with the right switch combination and interconnection topology. NEC Corporation of America 2012 2

Traditionally, a network is deployed as a multi-tiered architecture where a Layer-3 tier connects to multiple Layer-2 tier networks running the spanning tree protocol. Scaling becomes a critical concern for such networks when there is a significant amount of east-west traffic. For example, the bandwidth performance drops as the distance between two servers increases within a datacenter. ProgrammableFlow provides a flat network fabric architecture that offers multiple advantages. The flat network fabric enables the use of least cost routing between any pair of end hosts resulting in higher bandwidth and lowest latency. This also circumvents any layerspecific bottlenecks in terms of traffic handling capabilities. With ProgrammableFlow, appliances and service modules can be attached to any switch ports thereby avoiding the creation of multiple appliancespecific layers. The ProgrammableFlow flat network fabric allows location-independence, which lets the end hosts or virtual servers retain their IP addressing scheme independent of the switch port assignment. An important characteristic of the ProgrammableFlow flat network fabric is that it is not restricted to just layer-2 network service as is the case with other flat network solutions. One can define a combination of layer-2 and layer-3 networks and create policies on top of the same flat network fabric without introducing tiers. Network-wide Automation The need for network automation is fueled by the growth of data center size, changing requirements, complexity in programming the network and datacenter-wide virtualization. It is challenging to manage multiple switch configurations, firmware upgrades, and vendor-specific CLI scripts. OpenFlow offers a significant advantage by moving the complex error-prone vendor-specific CLI interfaces into an open and standardized programmable OpenFlow interface that works over switches from various vendors. ProgrammableFlow leverages the OpenFlow interface to add a networkwide open automation framework. Instead of having a per-switch CLI interface, ProgrammableFlow offers an entire network-level CLI interface. Operators can create and deploy scripts to automate the entire network without having to worry about potential switch-level configuration errors. The network programming model defined in ProgrammableFlow is robust to potential errors and ensures conflict-free switch configurations. Furthermore, ProgrammableFlow offers both script and REST API-based network automation framework where virtual networks can be created, edited, and deleted. The richness of the model allows operators to easily define topological properties such as packet forwarding policies. The framework can be easily integrated with an external orchestration system as well as with external appliances. The key advantages of ProgrammableFlow s network automation framework are: a) Integration flexibility with 3rd party systems b) Reduced network provisioning time c) Reduced change deployment time d) Minimized human error e) Policy compliance and security f) Network-wide management interface standardization. Figure 1: ProgrammableFlow architecture Figure 2: ProgrammableFlow controller management interface NEC Corporation of America 2012 3

Introducing Open, API-based Network Programming The ProgrammableFlow network provides a virtual network plane through which network operators can define dynamic network functionalities. Most of these functionalities are available through an open standard-based API framework. The API framework allows third party applications such as network management or orchestration systems to directly interact with the network through a well-defined functional approach. Third party systems can make on-demand calls to the API to create, edit, and delete virtual networks, as well as to add and remove policies. A unique feature of the ProgrammableFlow solution is that the APIs are defined at a network-level rather than at switch-level. The controller ensures that the API commands are correctly interpreted and appropriate flow-related commands are communicated to the switches to realize the required network-level functionality. The ProgrammableFlow approach to multipath routing inherently offers several advantages over other solutions. In contrast to the legacy distributed equal-cost-multipath (ECMP) based approaches, the ProgrammableFlow solution is built on centralized flow routing decisions resulting in global traffic routing optimization. Flows-to-paths mapping can be determined dynamically based on theclass-based policies as well as link weights/costs. Furthermore, the alternate path computation process is based on the underlying topology and existing load conditions and is not limited to the equal cost metric. Hence, ProgrammableFlow can discover a larger number of end-to-end paths and achieve better flow-level load balancing thereby resulting in a high end-to-end fabric bandwidth. ProgrammableFlow Fabric also provides automatic scale-out ability. The fabric can be built with a few core switches and then be expanded to a large number of switches while supporting any complex interconnection topology. When a new switch is added, the controller detects both the existence of the new switch and the additional links and updates the set of paths to enable re-optimization of the traffic distribution. Consequently, fabric size expansion and reduction are automatically handled without requiring any explicit configurations. Figure 3: ProgrammableFlow functional overview A Multipath Scale-out Fabric With the increase in the east-west traffic, the available bandwidth between servers, storage elements, and appliances is becoming a critical ingredient in the network. The use of the traditional spanning tree protocol at layer-2 creates a single path between end-points, thereby putting limitations on the end-to-end bandwidth. Advanced fabric routing protocols based on Trill, offer methods of leveraging multiple paths but they also introduce new protocol-level complexities. Further, Trill-based protocols are not standardized and may require switches from a single vendor. Figure 4: The ProgrammableFlow Multipath Fabric enables multiple end-to-end paths to provide high end-to-end bandwidth. The ProgrammableFlow Multipath Fabric solution leverages OpenFlow to control the switch plane. Multiple end-to-end paths are created automatically without requiring any special switch-level configuration or underlying protocol understanding. The data flows are automatically balanced across multiple paths to provide high end-to-end bandwidth. NEC Corporation of America 2012 4

Multiclass Interference-free Fabric Routing In a typical legacy network, the traffic from multiple applications shares the same physical network infrastructure (links, ports, and forwarding capacity) and follows a single path. In contrast to the traditional network design, NEC s fabric provides multiple end-to-end paths connecting end hosts. While end-to-end paths can provide high bandwidth to applications, there are specific requirements wherein applicationspecific traffic needs to be separated at the routing level. For example, large bulk data file transfers can interfere with the delay- sensitive messaging traffic for trading applications when sharing the same network fabric and the two should follow separate paths. ProgrammableFlow Fabric offers a unique feature in which the network fabric can compute multiple non-interfering paths while enabling application-specific mapping to paths. Application traffic can be identified or classified based on packet header field matching rules. Each application class can be dynamically mapped to a corresponding path routing policy. For example, the network can compute two end-toend paths and map FTP bulk data traffic to one path while the delaysensitive messaging traffic is mapped to the other path. In essence, ProgrammableFlow fabric allows creation of multiple end-to-end lanes and policies to route traffic classes on corresponding lanes. With the multiclass fabric routing feature, one physical underlying network can be provisioned to optimally support the QoS and bandwidth requirements of heterogeneous applications. End-to-end Reliable Fabric Existing legacy layer-2 networks offer a limited level of reliability. For example, Link Aggregation Group (LAG) can ensure link-level reliability. However, LAG cannot recover from a switch failure since traditional LAG cannot be defined across links connecting one switch to multiple switches. The alternative is to use the Spanning Tree Protocol (STP). However, all variants of STP take time of the order of seconds to recover from a link or switch failure resulting in increased downtime. ECMP-based solution can provide fast recovery from such failures by maintaining alternate paths and executing fast switch over in case of failure. However, current legacy implementation does not provide a 100% failure-proof solution. Furthermore, vendor-specific proprietary solutions require all switches and routers to be from the same vendor, resulting in a vendor lock-in. ProgrammableFlow provides a highly reliable end-to-end fabric that works over any type of switches from any vendor as long as they support OpenFlow. The controller is a vantage point that monitors the entire network fabric and ensures that the backup paths always exist at an end-to-end level. This is in contrast to the distributed protocols where failure detection and response is at the local switch level. ProgrammableFlow not only detects multiple failures quickly but can also rapidly shift flows to the respective backup paths, enabling fast recovery from even multiple switch or link failures. Typical turn-around time for failure detection to flow switching is around 100-200 msec. ProgrammableFlow also provides Multi-switch LAG (MLAG) where a LAG group can be created from one switch to multiple switches. MLAG can be effective in connecting servers to multiple Top-of-the-Rack (TOR) switches or in connecting to WAN facing gateway routers. MLAG takes care of reliability at the end points thereby providing true end-toend reliable connectivity. Figure 5: ProgrammableFlow s Multiclass interference-free routing Figure 6: Multi-switch Link Aggregation Group(MLAG) for end-to-end reliability NEC Corporation of America 2012 5

Secure Multi-tenant Fabric VLANs are still the de facto standard for providing secure isolation in the present data center networks. Today, VLANs are used for various types of isolations: isolating infrastructure resources, application servers, tenants or customers. However, VLAN is a characteristic of the legacy layer-2 networks which has severe limitations in terms of performance, reliability as well as virtual machine migration. Therefore, it is critical that any fabric solution offer the same security and isolation features as provided by VLANs, while alleviating all the limitations of a traditional layer-2 network. ProgrammableFlow provides a fabric that enables VLAN-type separation by defining a concept called vbridge in the virtual network plane. One can simply map VLANs to vbridge and provide the same level of isolation in the fabric. Packets can be tagged either by the end host such as by using port groups in ESX vswitch or by the fabric switch itself. Isolation for security and underlying data plane optimization is completely decoupled in a ProgrammableFlow fabric. In many cases, a user wants isolation not only at layer-2 but also in layer-3. For example, in a multi-tenant scenario, a tenant may wish to have multiple VLANs for application-level separation. The cloud or hosting provider may want to have isolation at a tenant-level where each tenant is using a set of VLANs. Security requirements can also become stringent in cases where there is inter-vlan traffic which utilizes Layer-3 routers. Policies deployed at layer-3 routers to ensure tenant-level isolation are prone to mis-configurations. In summary, there exist no comprehensive isolation solutions which can secure a tenant at a network level in the legacy world. ProgrammableFlow Fabric has defined multi-tenant virtual networks where tenants are isolated at the network level. With true traffic isolation between tenants, end systems belonging to one tenant network cannot reach end systems belonging to another tenant network. At the same time, each tenant can define his own customized layer-2 or layer-3 network and leverage inter-tenant isolation to effectively create a secured slice of the underlying physical network. Figure 7: ProgrammableFlow provides Network-level VTN isolation Disaster Recovery Disaster recovery (DR) has become critical for enterprises that are running mission-critical applications or services. In order to provide DR, enterprises have to create backup sites in separate geographical regions. ProgrammableFlow solution provides several features to assist the DR process. ProgrammableFlow solution allows creation of a virtual network that can span multiple sites over layer-2 pipes. Within such a virtual network, the virtual machines or even virtual storage can be migrated from primary site to the backup site seamlessly. The network policies for routing and forwarding are automatically applied to the migrated servers or storage. This automation results in fast recovery in case of any failure on the primary site. The ProgrammableFlow approach also avoids switch-level configuration complexities. All network-level functionalities are defined in a single template-based script. Such a template can be applied to a new backup site to quickly get the service up and running. Furthermore, the template definitions are decoupled from the actual physical network topology. Consequently, one has the flexibility to design the primary and the backup physical networks differently to optimize the total cost of operation. NEC Corporation of America 2012 6

Smart Conditional Routing In many cases, the packet forwarding decision is based on the result derived from evaluating a condition on a subset of header fields rather than just the destination MAC or IP address. Furthermore, the final destination of a packet need not be the destination IP address but an intermediate appliance or service module such as a firewall or load balancer. Such functionalities are not available in legacy networks. The closest solution to such functionality is the policy-based routing capability that is available in high-end routers. However, policy-based routing is limited to simple header field matches and can only map the packet to a specific router interface as opposed to an end-system. ProgrammableFlow Fabric allows complex conditions to be defined over a combination of multiple packet header fields such as MAC addresses, IP Address, Port number, protocol type enabling intelligent routing decisions. The conditions are declared in a virtual network construct called vfilter and can be applied to any virtual node interface (vbridge or vrouter). Each vfilter is associated with three action items: a) Drop the packet; b) Forward the packet to original destination; c) Forward the packet to a specified destination. There are various use cases of conditional routing. Some of these are described below. Dynamic intelligent ACLs The virtual filters ( vfilters ) defined in ProgrammableFlow solution can be leveraged to define Access Control Lists (ACLs) of various degrees of complexity. Simple ACLs can be based on direct packet header matching to decide whether to drop or pass the packets. Complex ACLS can consist of complex predicates defined on multiple packet header fields. The ACLs can be deployed dynamically on the virtual network. The controller takes the responsibility of pushing the associated flow table entries to all the switches in the fabric. Appliance layer compaction In traditional layer-2 data center design, appliances such as firewalls and load balancers are deployed as separate layers thereby creating multiple layers at the logical level. With the use of conditional routing, appliances can be connected to any switch port and traffic can be explicitly routed to specific appliances using appropriate condition definition. In other words, there are no physical connectivity constraints in attaching the appliance. Selective appliance routing One can easily define flexible conditions on how traffic should be forwarded to different types of appliances. For example, one can set rules to decide whether to forward a given traffic flow to the firewall or not, and whether to add a particular appliance such as an intrusion detection system along the flow path or not. Appliance or Service composition Appliance or service composition can be done by chaining or sequencing multiple rules or vfilters. For example, one can define a set of filters with corresponding actions to define a forwarding path for a particular flow that consists of a firewall, an intrusion prevention system and a load balancer before reaching a destination host. Appliance availability ProgrammableFlow s ping-based monitoring feature in the controller can be used in conjunction with conditional routing to improve appliance availability. For example, if a given appliance becomes unavailable, the network fabric can detect the fault and assist in redirecting the traffic flow to a standby or backup appliance. Selective traffic steering Selective traffic steering refers to the application scenarios where traffic is steered towards a given egress port of the fabric based on certain matched conditions. An example scenario is when policies are set to steer traffic through the right WAN interface. Such policies can be reactive as well. For example, in case a WAN access becomes unavailable, the traffic needs to be steered through a backup interface. Cloud Infrastructure Portability And Repeatability Infrastructure virtualization is a critical element of the cloud. As a part of virtualization, virtual servers and storage can be easily migrated from one physical location to another either in the same data center or across datacenters. Unfortunately, any such migration requires significant changes in the underlying network configurations. Depending on the physical network topology, such migration may even lead to redesigning the network policies and changing the switch-level configurations. NEC Corporation of America 2012 7

ProgrammableFlow network virtualization provides a unique advantage to address the above challenge. Virtual networks in ProgrammableFlow are independent of the underlying physical network and can be defined or edited using template-based scripts. Therefore, subsequent to migration or launch of a virtualized server or storage environment, one can easily apply the existing virtual network templates for a seamless deployment of the network without having to worry about the underlying new physical network. The decoupling of the physical and virtual networks and the use of virtual network templates enables repeatability in a multi-tenant environment where the underlying cloud infrastructure is shared. Template-based virtual networks can be applied with minimal modification to suit individual tenant requirements thereby providing an on-demand networking model for servers and storage. Conclusion NEC ProgrammableFlow Network Fabric leverages the OpenFlow protocol to create a smart, simple, secure and scalable solution for the enterprise datacenter. The ProgrammableFlow network fabric provides an open data plane where multi-vendor OpenFlow enabled switches can be interconnected with any traffic-optimized topology. In contrast to existing fabric technologies, ProgrammableFlow provides multipath at both layer-2 and layer-3 for interconnecting end systems and delivering end-to-end high performance and reliability. The network fabric operation is simplified by leveraging NEC s unique network virtualization solution and API based automation capabilities. In terms of building and architecting a data center fabric, Programmable Network Fabric is an agile solution to incrementally grow the network to fit traffic patterns and business needs. Corporate Headquarters (Japan) NEC Corporation www.nec.com Oceania (Australia) NEC Australia Pty Ltd www.nec.com.au North America (USA & Canada) NEC Corporation of America www.necam.com Asia NEC Corporation www.nec.com Europe (EMEA) NEC Philips Unified Solutions www.nec-philips.com About NEC Corporation of America Headquartered in Irving, Texas, NEC Corporation of America is a leading provider of innovative IT, network and communications products and solutions for service carriers, Fortune 1000 and SMB businesses across multiple vertical industries, including Healthcare, Government, Education and Hospitality. NEC Corporation of America delivers one of the industry s broadest portfolios of technology solutions and professional services, including unified communications, wireless, voice and data, managed services, server and storage infrastructure, optical network systems, microwave radio communications and biometric security. NEC Corporation of America is a whollyowned subsidiary of NEC Corporation, a global technology leader with operations in 30 countries and more than $42 billion in revenues. For more information, please visit www.necam.com. WP12018 v.4.25.12 2012 NEC Corporation. All rights reserved. NEC, NEC logo, and UNIVERGE are trademarks or registered trademarks of NEC Corporation that may be registered in Japan and other jurisdictions. All trademarks identified with or are registered trademarks or trademarks respectively. Models may vary for each country. Please refer to your local NEC representatives for further details.