BRKDCT-2445

Agile OpenStack Networking with
Cisco solutions
Rohit Agarwalla, Senior Technical Leader
@rohitagarwalla
BRKDCT-2445

• Introduction to OpenStack
• Cisco and OpenStack
• OpenStack Networking – Neutron
• Neutron Network Architectures
• Cisco Integrations into Neutron
• Demo
• Advanced Neutron considerations
• Summary/Q&A
Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
OpenStack Overview
Open source Cloud Computing Platform for Private and Public Clouds
BRKDCT-2445
Multi-tenancy and Pluggable back-ends

OpenStack Projects
Compute (Nova) Dashboard (Horizon) Database (Trove)
Network (Neutron) Image (Glance) Orchestration (Heat)
Object Storage (Swift) Identity (KeyStone) Data Processing (Sahara)
Block Storage (Cinder) Telemetry (Ceilometer) Deployment (Kolla)
Bare Metal (Ironic) DNS (Designate)
Application Catalog
(Murano)
Containers (Magnum) Key Management (Barbican) Policy (Congress)
File System (Manila) Messaging (Zaqar) ….
BRKDCT-2445

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKDCT-2445
Core and Optional Services
Source: https://www.openstack.org/software/project-navigator/

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenStack Progress
8
Austin – Oct 2010
Bexar – Feb 2011
Cactus– April 2011
Diablo – Sept 2011
Essex – April 2012
Folsom– Sept 2012
Grizzly– April 2013
Havana – Oct 2013
IceHouse– April 2014
Juno – Oct 2014
Kilo – May 2015
2010
2011
2012
2013
2014
Liberty – Oct 2015
Mitaka– April 2016
BRKDCT-2445
Newton – Oct 2016
2015
2016

Plan to attend the next Summit
10BRKDCT-2445
https://www.openstack.org/summit/barcelona-2016/

Cisco and OpenStack
• Cisco Validated Designs
• Work closely and jointly
with customers to design
and build OpenStack
environment
• OpenStack based Global
Intercloud hosted across
Cisco and partners data
centers
• Cisco Metapod (MetaCloud +
Piston)
• Neutron/Cinder/Ironic
Plugins/Drivers for Cisco
infrastructure – Nexus, APIC,
CSR1K, ASR1K, UCS
• Cisco Applications on
OpenStack
• Code contributions across
several services – Network.
Compute, Dashboard, Storage,
Containers, Deployment
Community
Participation
Engineering
Partners/
Customers
Cloud
Services
• Incubating new OpenStack
related Projects – GBP,
PlaceWise, VMTP
BRKDCT-2445

• Kloudbuster
• VMTP
• Group Based Policy
15
Mitaka release contributions lead by Cisco
Mitaka
release
Kolla
Magnum
Neutron
Horizon
Ironic
Rally
Cisco
lead
Projects
Heat
• UCSM, Nexus driver
• ODL driver
• ASR1000 driver
• PNR driver
• Bay and BayModel Support
• UCS CIMC, UCSM driver
• Benchmarks/Scenarios for
Swift APIs
• Magnum container support
• ASR1000 support
• Developer dashboard and preview
panel
• Kolla PTL
• Upgrade and Reconfigure actions
• Security/TLS
• Pluggable Networking
BRKDCT-2445

OpenStack Networking - Neutron

OpenStack Network Architecture
Tenant A Compute
Node (s)
Running
Compute and
Network
agents
Controller
Node(s)
Running
Database,
Message
Queue Server,
API Services,
Scheduler..
Router
Network
Node(s)
Running
Network
Service
Agents
API Network
External Network
Internet
Data Network
Management Network
Network Purpose IP
Address
Management
Network
Used for internal
communication between
OpenStack Components
Reachable
only within
the data
center
External
Network
Used to provide VMs
with Internet access
Reachable
by anyone
from the
Internet
API Network Exposes all OpenStack
APIs, including the
OpenStack Networking
API, to tenants
Reachable
to Tenants
Data Network Used for VM data
communication within the
cloud deployment.
Reachable
within the
Tenant
address
space
19BRKDCT-2445

Neutron Overview
Tenant A Router
Subnet Red Subnet Blue
VM 1
Tenant A
VM 2 VM 1
Logical Model
Physical implementation
Compute
Node
Compute
Node
VM1 Controller
Node(s)
Router
Network
Node(s)
External Network
VM2 VM1
Internet
vswitch vswitchvswitch
Data Network
Namespace
Management Network
API Network
20BRKDCT-2445

OpenStack Neutron Architecture
Neutron Server
REST API
Neutron Core
plugins
Neutron Service plugins
• Core + Extension REST API’s
• Message Queue for communicating
with Neutron Agents
• Core and Service Plugins
• Different vendor core plugins
• Different network technology support
• ML2 plugin with Type and Mechanism
Drivers
• Service plugins with backend drivers
Core API
Network Port Subnet
Resource and Attribute Extension API
ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….
Type Drivers Mechanism Drivers
VLAN
GRE
VXLAN
CiscoNexus
OVS
OpenDayLight
APIC
Morevendor
drivers
ML2
Othervendor
plugins
DHCP Agent
L3 Agent
Message
Queue
IPTables on
Network
Node
L2 Agent
vSwitch
dnsmasq
BRKDCT-2445 21
LoadBalancer
Firewall
VPN
HAProxy
IPTables
StrongSwan
L3ServicesNamespace
QoS
BGP
LB/OVS/
SR-IOV
Ryu

Layer 2 network tenant topologies
Compute
Node
Compute
Node
VM3 VM4 VM2
vswitch SR-IOV
Data Network
VM1
Fabric Leaf, Top of Rack
Compute
Node
Compute
Node
VM3 VM4 VM2
vswitch vswitch
Data Network
VM1
Fabric Leaf, Top of Rack
Host and Network based VLAN Host based overlays
Compute
Node
Compute
Node
VM3 VM4 VM2
vswitch vswitch
Data Network
VM1
Fabric Leaf , Top of Rack
Network based overlays
VLAN Overlay
24BRKDCT-2445

• Number of Tenant Network Segments
• VLAN based tenant networks
̶ Host (vswitch v/s SR-IOV)
̶ Host and Network
• VXLAN based tenant networks
̶ Host (L2 population)
̶ VXLAN offload - Network
̶ Multicast v/s Controller (EVPN)
• Provider Networks
25BRKDCT-2445
Layer 2 network tenant topologies – Design
Considerations

Compute
Node
vswitch
Layer 3 tenant network topologies
Linux Host
Compute
Node
VM1
Network
Node(s)
VM2
vswitchvswitch
Data Network
Namespace
Service VMs
Fabric, Top of Rack
VM1
Compute
Node
VM2
vswitch
Data Network
Service VMs
Fabric, Top of Rack
Compute
Node
VM1
Network
Node(s)
VM
vswitch
Data Network
Fabric, Service Node
Fabric or Service Node
26
vswitch
BRKDCT-2445

Layer 3 network tenant topologies – Design
Considerations
• External connectivity for tenant networks
• Floating IPs
• L3 Traffic Pattern E-W and N-S Routing
• Central v/s Distributed Routing
• Host v/s Network based routing
27BRKDCT-2445

Cisco integrations into Neutron

Neutron Layer 2 Default Implementation
Neutron Server
Neutron Core plugin
(ML2)
Network REST API requests
Open vSwitch/Linux
Bridge
Mechanism Drivers
Compute Node
Network and
Compute Nodes
VM VM
vswitch
RPC message
to agent on
nodes
29
• Implements Neutron Core
Resources
• Open vSwitch and Linux
Bridge Mechanism Drivers
• Agents on Network and
Compute Nodes
• Host based VLAN or Overlay
(VXLAN, GRE) Type Drivers
BRKDCT-2445

Nova HostNova HostNova Host
30BRKDCT-2445
Neutron Reference – East-West L2 (Switched)
Traffic
VM1 Controller
Host(s)
Router
Neutron
Host(s)
DHCP ports
API NetworkExternal Network
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitchvswitch
Data Network
PKT
Packet path animation for packet
traveling from VM1  VM3.

VM on a Compute
Nodes
Neutron Cisco Nexus Driver
Neutron Server
Neutron Core
plugin (ML2)
Cisco Nexus Driver
Ncclient
Nexus
Nova
Compute Nodes
create/update
port request
sent to Neutron
Features
• Works with multiple Nexus platforms
• VLAN configuration
• VXLAN configuration
̶ Nexus_VXLAN Type Driver
̶ Multicast
̶ VLAN to VNI association
Benefits
• No Trunk all tenant VLANs on
compute node interfaces on ToR
• Dynamic provisioning/deprovisioning
on ToR
• Network based overlays
Nexus ToR
VM VM
netconf
BRKDCT-2445 31

VMs on Compute
Node
Neutron Cisco UCSM Driver (KVM)
Neutron Server
Neutron Core
plugin (ML2)
Cisco UCSM driver
UCSM SDK
Compute Nodes
Nova
create/update port
Features:
• Supports VLAN configuration of SR-IOV ports
(using port profiles) and vNIC ports (using Service
Profiles)
• Nova and Neutron enhancements to support SR-
IOV
• Enables configuration of VLAN profiles and
automatic association with network ports
• Support for multiple UCSM domains and discovery
of blades (hosts) to Service Profile mapping
Benefits
• SR-IOV and non SR-IOV based UCS Fabric
Interconnect configurations
• High network performance bypassing hypervisor
switch
VM VM
BRKDCT-2445 32
UCS Fabric
Interconnect

Demo Topology – Neutron ML2 UCSM Driver
VIRTIO Subnet SRIOV Subnet
VM 1
Tenant A
VM 2 VM 3
Logical Model
Compute
Node
Compute
Node
VM1
Controller +
Network
Node
VM2 VM4
vswitch/VM-FEX vswitch/VM-FEXvswitch
Data Network
Management Network
34
DHCP
NS
DHCP
NS
Node1 Node2 Node3
Fabric
Interconnect
VM 4
VM3
BRKDCT-2445
Fabric
Interconnect

Neutron Routing Implementation
Neutron Server
Neutron Service
plugin (L3)
Routing REST API requests
L3 agent on
Network Node
L3 agent on
Network Nodes
Default Gateway,
Namespace and
IPTables
Namespace maps to a
Neutron logical router.
IPTables handle address
translations
Agent Scheduler
Picks a L3 agent on a
Network Node
Compute Node
Compute Nodes
L3 traffic goes through
Network node
VM VM
Neutron router HA capabilities using VRRP
39BRKDCT-2445

40BRKDCT-2445
Neutron Reference – East-West L3 (Routed) Traffic
VM1 Controller
Host(s)
Router
Neutron
Host(s)
Management Network
VM6VM5VM2 VM3 VM4
Internet
Data Network
PKT
Routing
traveling from VM1  VM4
Virtual Router

41BRKDCT-2445
Neutron Reference – North-South L3 Traffic (NAT)
VM1 Controller
Host(s)
Router
Neutron
Host(s)
Management Network
VM6VM5VM2 VM3 VM4
Internet
Data Network
PKT
NAT
traveling from VM1  Internet
Virtual Router

Issues in Neutron Reference L3 and ASR1K Solutions
• NAT for External Connectivity:
• Issue - Scale limitation in Linux iptables software NAT.
• Solution - ASR1K can scale up to 4 million dynamic NAT entries and 16K
static NAT entries.
• Tenant Routing:
• Issue – Managing Linux namespaces and interfaces software based tenant
networking.
• Solution - ASR1K uses Virtual Routing and Forwarding (VRF) instances for
tenant routers.
• Data Throughput:
• Issue - Performance limitations with software packet forwarding and NAT
on generic compute hardware.
• Solution - ASR1K can perform packet forwarding and NAT at rates upto 230
Gbps.
42BRKDCT-2445

Neutron Cisco ASR1000 for Neutron L3 Service
• Mapping of Neutron reference L3
implementation -
- Linux namespaces - ASR1K VRF
- Internal Router ports – ASR1K VLAN or Port
Channel sub interfaces
- External Gateway ports – ASR1K VLAN or Port
Channel sub interfaces
- Linux IPTables – ASR1K NAT
• Benefits
• Routing using physical infrastructure
• Support for HSRP and Port Channel
• OpenStack Multi-Region Support
• Config Agent Sync with ASR1K (Keep Alive)
• Integrates with ACI
Neutron Server
Neutron Service plugin
(L3)
Routing Device Driver
(ASR1K)
Config Agent
Cisco Config Agent
Nexus
ASR1K
netconf
BRKDCT-2445

OpenStack Neutron + Nexus + ASR : Physical
Topology Example
Layer-3
Network
ASR 1000
Routers
OpenStack Controller
Neutron Server with
Cisco Config AgentNova Compute Nodes
Nexus Layer-2
Tenant VLANs
Management Network (NETCONF provisioning)
BRKDCT-2445

ASR1K
Neutron
Host(s)
45BRKDCT-2445
ASR1K - East-West L3 (Routed) Traffic
VM1
Controller
Node(s)
Router
Data Network
(L3 routed)
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitch
Nexus TOR Nexus TOR
ASR1K
L3
Plugin
VRF with
default GW
and NAT (to
global
routing).
PKT
Note : Packet animation included –
VM1  VM4
Virtual Router

ASR1K
Neutron
Host(s)
46BRKDCT-2445
ASR1K - North-South L3 Traffic (NAT)
VM1
Controller
Node(s)
Router
Data Network
(L3 routed)
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitch
Nexus TOR Nexus TOR
ASR1K
L3
Plugin
VRF with
default GW
and NAT (to
global
routing).
PKT
Note : Packet animation included –
VM1  Internet
Virtual Router

Demo Topology – Neutron ASR1K Driver for L3
Private Subnet Private1 Subnet
VM 1
Tenant A
VM 2
Logical Model
Compute
Node
Compute
Node
VM1
Controller +
Network
Node
VM2
Data Network
Management Network
DHCP
NS
DHCP
NS
Node 1 Node 2 Node 3
Nexus
Router
BRKDCT-2445
ASR1KASR1K
Nexus
Port-Channel 10, 11

Virtual Topology System (VTS) driver
XRv
Compute Node
Features
• REST API based controller
• Support for Virtual and Physical
Overlays
• Support for MP-BGP EVPN and
multicast based flood and learn control
plane
• Leverages Cisco Vector Packet
Processing (VPP) technology for VTF
• Neutron L3 routing implementation on
physical network using L3 VXLAN and
Anycast Gateway
REST
Compute Node
VM
VTC
VTF
VTF
BGP/EVPN
VXLAN Tunnel
Vhost socket
netconf / yang
BRKDCT-2445 54
ToR
VM
Neutron Core
plugin (ML2)
Cisco L2
VTS Driver
Cisco L3
VTS Driver
Neutron L3
Plugin
VXLAN Tunnel
Neutron Server
Benefits
• Network Fabric automation
• Line rate packet forwarding with VPP
• Integrates with NSO

VMs on Compute
Nodes
Neutron Cisco Application Policy Infrastructure
Controller (APIC) Driver
Neutron Server
Neutron Core
plugin (ML2)
Cisco L2
APIC Driver
APIC
VMs on Compute
Nodes
Cisco L3
APIC Driver
ACI Spine/Leaf
Switches
REST API
Network:EPG, Router:Contract
Provides distributed L2,L3 functionality
Neutron L3
Plugin
 Neutron API: Network, Router,
Subnet, Security Group
 L2 / L3 enforced in fabric,
security groups enforced on
hypervisor
55BRKDCT-2445

Group Based Policy and Neutron
VMs on Compute
Nodes
Group Based Policy (GBP)
GBP Neutron
Driver
Neutron
APIC
VMs on Compute
Nodes
APIC GBP
Driver
ACI Spine/Leaf
Switches
REST API
Policy Group, Ruleset
Provides distributed L2,L3 functionality
GBP Driver
Neutron
Plugins/Drive
rs
Network, Router
Create Classifier/ Rule
gbp policy-classifier-create web-traffic –
protocol tcp –port-range 80 –direction in
gbp policy-rule-create web-policy-rule –
classifier web-traffic –actions allow
Create Policy RuleSet
gbp ruleset-create web-ruleset –policy-
rules web-policy-rule
Create Group
gbp group-create web
Group Association
gbp group-update web –provided-rulesets
web-ruleset
Launch Web Server VM using Endpoint in
EPG
gbp member-create –group web web-1
vswitch
57BRKDCT-2445

OpFlex Integration
• Hypervisor local enforcement security
policies
• Security Groups (ML2 driver) via IP
Tables
• GBP via OpenFlow in Open vSwitch
• Distributed NAT support on each compute
node
• Floating IP
• sNAT (via hypervisor host IP)
• Distributed Neutron services per compute
node
• L3 / Anycast gateway, metadata,
DHCP
• Multiple VRF support
BRKDCT-2445 58
Hypervisor
vm4
Project 1 Project 2 Project 3
vm5
vm3
vm5
vm6
OpFlex Agent
OpFlex Proxy
V(X)LAN
OpenStack
Group-Based Policy
(optional)
APIC ML2
APIC

Advanced Neutron considerations

Tenant 2Tenant 1
VMTP Data Plane
Flows (logical)
Automated data path validation and performance tests using VMTP tool.
Client VM
2L3 fixed IP
L2 same
network
Client VM
1
Client VM
3 L3 floating IP
Server VM
Virtual router
Client VM
4upload 5 download
(external host)
VMTP – Data path validation and performance tool
BRKDCT-2445 60

Neutron IPv6 for tenant data network
• IPv6 addressing using two attributes -
• ipv6_ra_mode – Determines who sends RA
• ipv6_address_mode – Determines how instances obtain IPv6 address, default gateway,
and/or optional information.
• Support for different IPv6 addressing schemes
• SLAAC
• DHCPv6-stateless
• DHCPv6-stateful
• Dual Stack Support
• IPv6 Routing
• Prefix Delegation
61BRKDCT-2445

Neutron Addressing Schemes
ipv6_ra_mode ipv6_address_mode Result
SLAAC N/S Address using Neutron router
N/S SLAAC Address using external router
SLAAC SLAAC Address using Neutron router
DHCPv6-
stateless
N/S Address using Neutron router and optional
information using external service
N/S DHCPv6-stateless Address using external router and optional
information using Neutron DHCP
implementation
DHCPv6-
stateless
DHCPv6-stateless Address and optional information using
Neutron router and DHCP implementation
respectively
DHCPv6-stateful N/S Address and optional information using
external service
N/S DHCPv6-stateful Address and optional information using
Neutron DHCP implementation
DHCPv6-stateful DHCPv6-stateful Address and optional information using
Neutron DHCP implementation
Address
Configuration
Flags
Value
Auto 1
Managed 0
Other 0
Address
Configuration
Flags
Value
Auto 1
Managed 0
Other 1
Address
Configuration
Flags
Value
Auto 0
Managed 1
Other 1
62BRKDCT-2445

Network Function Virtualization
Tenant A
Compute
Node
Compute
Node
VM1
Network
Node(s)
VM2 VM1
Data Network
Namespace
10.1.0.4 10.1.0.5
10.1.0.1 10.1.1.1
10.1.1.4
Admin provisioned Service
Compute
Node
Compute
Node
VM1 VM2 VM1
vswitch vswitch
Data Network
10.1.0.4 10.1.0.5
Tenant provisioned Service
Service
VM
10.1.1.4
66BRKDCT-2445

Neutron and NFV
• Issue
• Anti-spoofing rules to ensure traffic
originates and terminates as expected
• Doesn’t work for NFV VNF use cases
• Solution
• Added Port Security Extension
• Adds new “Port Security enabled” attribute to
Network and Port Resources
• Only tenant owner can set this attribute on the
resources
• Security Group and Allowed Address Pair are not
allowed to be set
• Issue
• VXLAN for tenant isolation and VLAN for
app traffic isolation within the tenant
• No means to identify VLAN transparent
networks
• Solution
• Added Network Resource Extension
• Adds new “Vlan Transparent” attribute to
Network Resource
• Only tenant owner can set this attribute on the
resources
• No firewalling on VLAN tagged packets
67BRKDCT-2445

Summary
• OpenStack rapidly becoming the de-facto standard for data center orchestration
• Cisco’s broad-based OpenStack strategy spans products, partners and services
• Cisco is leading contribution in projects such as Neutron and others in the
OpenStack community
• Wide range of Cisco solutions available for integration with OpenStack
Networking
• Still lots to do…..
• More information can be found at
• www.cisco.com/go/openstack
• https://developer.cisco.com/openstack/
69BRKDCT-2445

Call to Action
• Breakout sessions:
• OpenStack Deployment for Enterprise and Service Provider (BRKDCT-2367)
• Agile OpenStack Networking with Cisco Solutions (BRKDCT-2445)
• Mastering OpenStack and ACI (BRKACI-3456)
• Media Data Center: Private Cloud for Media Workloads (BRKSPV-2510)
• Cloud Network Automation with OpenStack Neutron (BRKCLD-2012)
• Inside Cisco IT: Automating ITIL Configuration Management for OpenStack (BRKCOC-3001)
• Visit the World of Solutions and Labs for:
• Cisco Virtualized Packet Core Installation on OpenStack (LABSPM-2012)
• OpenStack Installation and Deployment with Cisco ACI Using OpFlex (LTRACI-2225)
• VTS Integration with OpenStack/VMware for Data Center Orchestration (LTRDCN-2001)
• DevNet zone related sessions:
• Open Source - Is it a Good Bet for Developing your Next Application? (DEVNET-1034)
• OpenStack Enabling DevOps (DEVNET-1104)
• Getting Started with OpenStack (DEVNET-1105)
• Upcoming Services in OpenStack (DEVNET-1106)
• DevNet Workshop - Getting Started with OpenStack (DEVNET-1211)
• BEST REST in OpenStack - Hands-on Workshop (DEVNET-2004)
• Multicast in an OpenStack Cloud (DEVNET-2055)
• Deploying Your Apps in an OpenStack Cloud (DEVNET-2018)
BRKDCT-2445 70

Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
71BRKDCT-2445

Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
72BRKDCT-2445

BRKDCT-2445

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à BRKDCT-2445

Similaire à BRKDCT-2445 (20)

Dernier

Dernier (20)

BRKDCT-2445

Notes de l'éditeur