Fostering the Evolution of Network Based Cloud Service Providers.

CloudVPN
Fostering The Evolution of Network-Based Cloud
Service Providers.
Bart Van de Velde
Sr. Director, Engineering, Chief Technology & Architecture Office
MPLS SDN NFV Congress - Paris

© 2015 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
•  Introduction
•  CloudVPN Use Case
•  CloudVPN Architecture
•  CloudVPN as a Servive Delivery Platform
•  Summary
2

CloudVPN – A Programmable Platform for SP’s to evolve their
VPN offerings with Cloud integration at a lower TCO (agility,
automation, simplification) and low marginal cost achieved through
Virtualization and SDN enablement.

© 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
User ≠ One Size Fits AllNew Solutions Demand More Flexible & Comprehensive Offerings that Interoperate with Existing
Equipment inclusive of hardware and software.
On-Demand
Bandwidth & Capacity
Big Data & AnalyticsRapid Deployment of New
Business Applications
Anywhere/Anytime
Secure Accessibility
User Experience,
Delivered
Open Solutions
Seamless
Connectivity
One Stop
Shop
UX &
Multi-Platform
On-Demand
Solutions
The New Customer Requirements
PAYG Models

Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Starting Point:
Unique Opportunity of the SMB Market
An Excellent starting point to evolve Business Services Models
Modular Architecture: Low Cost Customization
Cloud Services Delivers on New Buy Models
Demands & Cycles
Variability in Vertical, Size & Offering Needs,
Buy-Cycle; One-Size Does Not Fit All

SDN, NFV and Orchestration
Creating the Change Platform
Orchestration
Automation, provisioning and interworking
of physical and virtual resources
Service
Orchestration
NFVSDN
SDN
Separation of control and data plane
NFV
Network functions and software running
on any open standards-based hardware
The Time is NOW to put SDN , NFV, and Orchestration into Action
Services
Platform

The Mission: Service Provider Business Transformation
AUTOMATION, VIRTUALIZATION AND ORCHESTRATION ARE REQUIRED…HOW?
Virtualized
Resource Pools
(network ready
compute/storage)
Virtualized
Network Functions
Secure Overlays
Dynamic Set-Up,
Tear Down and
Provisioning
On-Demand Workload
Movement with
Service Profiles
Data Center
NetworkWorkload
Portability
Orchestration
Full Access to
Resource Pools
Anywhere
Cloud Services
Cost Reduction and Agility Delivers Profits

Agenda
•  SDN, NFV & Orchestration
•  CloudVPN as a Service Delivery Platform
•  Summary
8

xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
R2
R1
R1
R1
Goal: Multi-tenant Virtual Private
Network+Cloud
Virtual Private Cloud ( VPC )
Logical design automatically created
within the WAN and Cloud Data Center
self-service creation and modifications
animated

CloudVPN – Key Focus Areas
•  Self Service – Catalog Driven
•  Address Small [branches] of the large [enterprises]
•  Remote Worker, SOHO, Distributed Sites (hospitality, retail)
•  One Offering: Integrate VPN with Cloud Services
•  Lower TCO (agility, automation, simplification) via Virtualization & Cloud
Management
•  Leverage existing SP Network Infrastructure
•  Shorter Time To Revenue with NO upfront CAPEX
•  Ability to bundle offers. SMB -> Mobile, Video, Smart business, security

Customer Experience in a Nutshell
Unbox & Plug-in
Service up and running
CPE ships
Orchestration happens!
Order Services

CloudVPN Business Services:
Use Case 1: CloudVPN with Internet, Firewall (FW), Remote Access (RA)
Cloud IPVPN with FW and Remote
Access to Internet
!  vFW with NAT and Policy
!  vFW with IPSec/SSL Remote
Access including Remote End-
Host posture verification
CPE
CPE
CPE
Internet
Router
vFW
SP CLOUD
Internet
Cloud-Hosted Management
Scalable, elastic, on-demand
Overlay Packet Tunnels
!  IPSec tunnels – mesh, hub&spoke
VR

CPE
CPE
CPE
SP CLOUD
Internet
Router
vFWVR
WSAv
Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security
Access to Internet
!  vFW with IPSec/SSL Remote Access
including Remote End-Host posture
verification
!  WSAv for Enhanced Web Security
!  IPSec tunnels – mesh, hub&spoke
Internet

CPE
CPE
CPE
SP CLOUD
Internet
Router
vFWVR
vNG-
IPS
Internet
Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS
Access to Internet
!  vFW with IPSec/SSL Remote Access
including Remote End-Host posture
verification
!  vNG-IPS (SourceFire) for advanced
threat protection and real-time
contextual awareness
!  IPSec tunnels – mesh, hub&spoke;

Demo Time
15

Agenda
•  Introduction
•  Summary
16

SP
VR
CSR
NED
VR_CSR
Other Network
Services
vFW
vASA
NED
ISR
NED
O/S
virt infra mgr
Portal:
Service
Consumer
Self Service
Create
Deliver
Operate
Optimize
cisco
Network
Compute
Storage
Service Design
Create
Deliver
Operate
Optimize
cisco
Service Design
My DeploymentsMy Designs
Deploy
Deployment Wizard
Select Scope
Engineering
New Folder
Testing
Operator
Self Service
vNG-Intrusion
Protection
vSecWeb-WSAv
NC/YANG
REST/XSD
vNG
IPS
NED
vSec
Web
NED
Customer VPN
BSS
Systems
RC/YANG
NC/YANG
VFW_vASA
ESC
virt service
lifecycle
management
netconfd
service
models
device models
fastmap
reactive
fastmap
yangyang
yang
O/S component
APIs
RC/YANG
NC/YANG
RC/YANG
NC/YANG
Config &
Operation
java
Virtual
Switch
netconfd
Virtual
Switch
Model driven service consumer portal for self-
service service lifecycle : create, modify,
redeploy, delete
NCS
network service lifecycle management
ISR CPE
Csco PnP
http
Csco CLI
via SSH
Config &
Operation
Discovery
& Call Home
PnP Server
(Call Home)
WAN network
and Internet
CloudVPN End-to-End Architecture

Network Services Orchestrator (NSO)
PnP Server
CloudVPN with ISR CPE Use Case
Elastic Services
Controller (ESC)
Tenant Portal
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality
Zero Touch Provisioning
OpenStack
X86ServerCloudVPN Connectivity up
Provision
CSR
ISR CPE Shipped to Customer
Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1
Configuration
Establish VPN: IPSec, IP Overlay
(VXLAN, GRE, LISP), L2
DCI/PE
CSR1Kv
Spin up CSR

CloudVPN - Adding VNFs In The Cloud
Elastic Services
Controller (ESC)
Tenant Portal
Network Services Orchestrator (NSO)
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality
Zero Touch Provisioning
OpenStack
CSR1Kv ASAv
X86Server
Internet
Gateway
vESA
CloudVPN Connectivity up
If more VNFs are needed
for a Service Chain ?
ISR CPE Shipped to Customer
Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1
Configuration
Establish VPN: IPSec, IP Overlay
(VXLAN, GRE, LISP), L2
PnP Server
DCI/PE
VTF
More scalable and flexible
service chaining enabled with
VTC & high-performance VTF
OVS

vFW
vDDoS
vR
CPE
CPE
CPE
vISE
Internet
Router
vWSA
6
vIPVPN with BYOD, FW, RA, WebSec, DDoS
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote access incl.
remote end-host security posture verification.
- vISE for BYOD svc auth (AAA, trust-sec label
to IP binding)
- vWSA for Enhanced Web Security
- vDDoS (Radware DefensePro) for volumetric
and application DDoS visibility and mitigation
services
6
vIPVPN with BYOD, FW, RA, WebSec,
ngIPS
- vFW with IPSec/SSL remote access
incl. remote end-host security posture
verification.
- vISE for BYOD svc auth (AAA, trust-
sec label to IP binding)
-vNG-IPS (SourceFire) for advanced
threat protection and real-time
contextual awareness
5
vWSA
vFW
vNG-
IPS
vR
CPE
CPE
CPE
vISE
Internet
Router
vNG-
IPS
5
vIPVPN with BYOD, FW, RA, EmailSec
verification.
- vESA for Critical Information Protection
(inbound and outbound Emails)
4
vESA
vFWvR
CPE
CPE
CPE
Internet
Router
DMZ
email
server?
4
vIPVPN with BYOD, FW, RA, WebSec
verification.
- vISE for BYOD svc auth (AAA, trust-
sec label to IP binding)
3
vWSA
vFWvR
CPE
CPE
CPE
vISE
Internet
Router
3
vWSA
vIPVPN with BYOD, FW and RA
- vFW with IPSec/SSL remote
access incl. remote end-host
security posture verification.
- vISE for BYOD svc auth (AAA,
trust-sec label to IP binding)
2
vFWvR
CPE
CPE
CPE
Internet
Router
vISE
2
vIPVPN with FW and RA
- vFW with IPSec/SSL Remote
Access (RA) incl. remote end-host
security posture verification.
1
vFWvR
CPE
CPE
CPE
Internet
Router
1
vWSA
vESA
vISE
vNG-
IPS
vFW
vDDoS
web security
appliance
email security
appliance
identity services
engine
fire wall
intrusion protection
system
ddos mitigation
services
vR
vLB
Internet
Router
router
load balancer
Internet
Router
Packet service nodes
L2
L3
Termination points
tunnel
local link
Packet links
unclassified
BYOD AAA
http requests
email (inside&outside)
DDoS threat
IPSec/SSL
IPS threat
Packet flows
CloudVPN Service Topologies

Operator
Portal
User
Portal
CloudVPN – Soft Real-Time Orchestration Loop
ISR CPE
CSR
ESC
Openstack
CloudVPN
Function Pack
NCS
ASAv
ISR CPE
ISR CPE
NETCONF
Console
NCS
CLI, NBI
Service models and
implementation

ISR CPE
CSR
ESC
Openstack
NCS
ASAv
ISR CPE
ISR CPE
CREATE SERVICE
UPDATE SERVICE
DELETE SERVICE
Changed
network state
(PnP, ESC
notifs) trigger
service
redeploy
REDEPLOY
SERVICE
FASTMAP
CloudVPN – Soft Real-Time Orchestration Loop
ESC and NCS Interaction
allows for dynamic Service
creation and Update

node.4node.3 node.5
network topology model
node.1
node.2
nodeslinks termination_points
link.1
link.2
link.3 link.4
tp.1
tp.2
tp.3
tp.4
tp.5 tp.6 tp.7 tp.8
[Example of a network topology model]
CloudVPN – zooming in on the modeled
Networking Layer

- S2S: inter-site VPN with CPE-to-VR tunnels;
- RA: VFW with encrypted Remote Access (RA) incl.
remote end-host security posture verification;
- FW-INET: VFW with NAT44 and stateful FW policy
for Internet connectivity;
CVPN-S2S-RA-FW-INET
VFWVR Internet
CVPN-S2S-RA-FW-INET
network service topology
RACPECPE
CPECPE
RA
RAC
RAC
VFWVR Internet
RACPECPE
CPECPE
RA
RAC
RAC
CVPN-S2S-RA-FW-INET
packet flows
unclassified
http requests
DDoS threat
SSL
IPS threat
packet flows
NAT44’ed
WCCPv2 redirect, http only
IP fwding, static or dynamic route
SSL termination
ACL based forward
pkt processing & fwding
NAT44
local connection
tunnel connection
links
L2, Ethernet
L3, IPv6 and/or IPv4
termination points
[Example of a network topology model]

cpe-01
r2
esc-01
br-outside-01
Gig0/1
cisco-isr
eth4.100
eth1
eth4
compute-01
cisco-ucs esc
ovs-network
Topology: dt_mvp1_underlay
Tags: sjc_lab, underlay
cpe-01
router-01
cisco-isr
ipsec_vpn
Topology: dt_mvp1_overlay
Tags: overlay
ipsec_tunnel
cisco-
csr1000v
cpe tunnel
cpe-01 tunnel-01 router-01
uni cpe csr nni
Virto: myvpn
Tags: sjc_lab
vFirewall
VRF
ovs-
network
vWSA
vBridge
cisco-
asa100V
cisco-vwsa
vBridge
ovs-
network
Virtual
Routercpe
br-01
bridge
bridge inside outside
wsa
router firewall firewall gateway
wsa-01
firewall-01 br-02
br-01
external
network
internet
br-internet-01
IVRF
firewall-01
wsa-01
eth0
eth1
eth2
Gig1 Gig2
Gig1 Gig2
eth0
Gig0/1 cpe-01.Gig0/1 router-01.Gig1
Gig1 Gig2
Unmanaged IP
Network
tp2
tp1
eth4.101
eth4
eth1
tp3
module: virto
+--rw virto [id]
...
| +--rw topology-types?
| | +--rw cvpnv:cloudvpn-virto?
| +--rw tags* string
| +--rw supporting-topology [id]
...
| +--rw node [id]
...
| | +--rw node-type?
| | | +--rw cvpnv:cloudvpn-virto
| | | +--rw cvpnv:cpe?
| | | +--rw cvpnv:tunnel?
| | | +--rw cvpnv:vRouter?
| | | +--rw cvpnv:vFirewall?
| | | +--rw cvpnv:vAAA?
| | | +--rw cvpnv:vWSA?
| | | +--rw cvpnv:vESA?
| | | +--rw cvpnv:vIPS?
| | | +--rw cvpnv:vDOS?
| | | +--rw cvpnv:network?
...
| | +--rw supporting-node* node-ref
| | +--rw termination-point [id]
...
| | +--rw function?
...
| +--rw link [id]
...
+--rw occupancy
...
Underlay
Overlay
Virto

Agenda
•  Key Focus areas
•  CloudVPN Use case
•  Summary
26

Service Platform Characteristics
Modularity & Interoperability
"  Reusable & flexible; interoperable components; consistent APIs & open interfaces
Open Innovation, Open Source, Standards
"  Standardization & development of open, multi-vendor solutions
Scale & Simplify the Network
"  Virtualization & programmability; multi-layer convergence &
interoperability, automated solutions
Increase Value for Partners, Customers, Users
"  New user experiences, faster time-to-market, new consumption & business models
Modular
Simple &
Scalable
Standards-
Based
Interoperable
Open
Multi-Vendor,
Multi-Environment
Flexible Infrastructure;
New Classes of
Applications
Open & Interoperable
Solutions; Standards &
Open Source
Modular & Reusable
Components

Generalized Orchestration Model
Operations and Life-Cycle
management of infrastructure
Domain Controllers
Svc Producer Layer
Infrastructure
Physical and Virtual
Operations and Life-Cycle
management of Services
Cross Domain Service Lifecycle
Orchestration
Principles
!  Functional architecture
comprised of a layered,
loosely coupled distributed
system components
!  Functions can operate and
evolve independently
!  Functions can be deployed
in combination or isolation
!  Each layer abstracts the
detail of what is below it
from any functions above
Domain Controller
or Orchestrator
Domain Controller
or Orchestrator
Domain Controller
or Orchestrator
API
Service Consumer Lifecycle
Management
Svc Consumer Layer
Consumer Facing Service
VIRTUAL
NETWORK
FUNCTIONS
TENANT
VMs PHYSICAL
PACKET /
OPTICAL
NETWORK
COMPUTE / STORAGE
DomainDomain

CloudVPN Model Driven Architectural Approach
•  Services are driven with an E2E
Scope.
•  E2E Scope is model driven.
•  Models have both a Service
and Device component.
•  Service-Network mappings bind
Service Models to Network and
Device Instantiations.
•  Models need to span across the
multi-domain CVPN service
path.
Prem Access WAN Compute
CPE
L2NID
MX
ISR
Metro
VNF
Service Chaining
ME36xx 9K
CRS
3rd Party
CSR
vASA
…
Service
Models
Svc-Ntwrk
Models
Device
Models
NCS
Service Definition
Service Definition
Service Definition
Router VNF
x86
…

Business Operations, BSS
All
Access
MSAN
OLT
LTE
Data Center
User
Area
DC
Packet Network
DC
Internet&peerings&
So-&Real1Time&SDN&
Orchestra9on&and&OSS&
Packet flows
Internet
Services
Physical: IP Optical Network x86 Compute
Logical: IP and Overlay Transport (Virtualized) Service Creation
Converging to Software Driven Architecture – Addressing the
Hunger Gap
Programmability: YANG over NETCONF, RESTCONF, RESTful , JSON
Control: Soft Real Time Network OSS Soft Real Time Compute
Orchestration
Reduce Marginal Cost of Service Creation to ~0
Eliminate human operator intervention; Integrate custom IT back-end
S
D
N
Data Model
Driven
Adaptation
devices
topologies
topologies
services
agents
plugins
controllers
automation
e2e services
abstractionstack
decomposition

CloudVPN – A Programmable Platform for SP’s to evolve their
VPN offerings with Cloud integration with a lower TCO (agility,
automation, simplification) and low marginal cost achieved through
Virtualization and SDN enablement.

Fostering the Evolution of Network Based Cloud Service Providers.

Fostering the Evolution of Network Based Cloud Service Providers.

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Fostering the Evolution of Network Based Cloud Service Providers.

Similaire à Fostering the Evolution of Network Based Cloud Service Providers. (20)

Plus de Cisco Service Provider

Plus de Cisco Service Provider (20)

Dernier

Dernier (20)

Fostering the Evolution of Network Based Cloud Service Providers.