@projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed 19 th January 2016.

Slides:

Advertisements

Similar presentations

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

Advertisements

Software Defined Networking in Apache CloudStack

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal

Internetworking II: MPLS, Security, and Traffic Engineering

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

Connect communicate collaborate GN3plus What the network should do for clouds? Christos Argyropoulos National Technical University of Athens (NTUA) Institute.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle’s Next-Generation SDN Platform Andrew Thomas Architect Corporate Architecture.

CloudStack Scalability Testing, Development, Results, and Futures Anthony Xu Apache CloudStack contributor.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –

Brocade VDX 6746 switch module for Hitachi Cb500

Guide to Network Defense and Countermeasures Second Edition

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Application Centric Infrastructure

Network Overlay Framework Draft-lasserre-nvo3-framework-01.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Semester 4 - Chapter 3 – WAN Design Routers within WANs are connection points of a network. Routers determine the most appropriate route or path through.

Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.

Additional SugarCRM details for complete, functional, and portable deployment.

SDN Problem Statement and Use Cases for Data Center Applications Ping Pan Thomas Nadeau November 2011.

Data Center Network Redesign using SDN

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Software-Defined Networks Jennifer Rexford Princeton University.

Networking the Cloud Presenter: b 電機三姜慧如.

Common Devices Used In Computer Networks

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

Overlay Network Physical LayerR : router Overlay Layer N R R R R R N.

Chapter 8: Virtual LAN (VLAN)

MDC417 Follow me on Working as Practice Manager for Insight, he is a subject matter expert in cloud, virtualization and management.

608D CloudStack 3.0 Omer Palo Readiness Specialist, WW Tech Support Readiness May 8, 2012.

CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

VXLAN Nexus 9000 Module 6 – MP-BGP EVPN - Design

1 © OneCloud and/or its affiliates. All rights reserved. VXLAN Overview Module 4.

BGP L3VPN Virtual CE draft-fang-l3vpn-virtual-ce-01 Luyuan Fang Cisco John Evans Cisco David Ward Cisco Rex Fernando Cisco John Mullooly Cisco Ning So.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.

Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.

INFSO-RI Enabling Grids for E-sciencE Dynamic Connectivity Service Oscar Koeroo JRA3.

SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © Brocade Communications Systems, Inc.

HELSINKI UNIVERSITY OF TECHNOLOGY Visa Holopainen 1/18.

Introduction to CloudStack Networking Geoff Higginbottom CTO ShapeBlue

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1.

XRBLOCK IETF 85 Atlanta Network Virtualization Architecture Design and Control Plane Requirements draft-fw-nvo3-server2vcenter-01 draft-wu-nvo3-nve2nve.

Slide 1/20 "PerfSight: Performance Diagnosis for Software Dataplanes." Wu, Wenfei, Keqiang He, and Aditya Akella ACM ICM, Presented by: Ayush Patwari.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Recent Progress in Routing Standardization An IETF update for UKNOF 23 Old Dog Consulting Adrian

EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)

EVPN: Or how I learned to stop worrying and love the BGP

Eric Osborne ARNOG 2016 NFV (and SDN). Introduction About me: 20+ years in Internet networking: startup, Cisco, Level(3) Currently a principal architect.

Network Virtualization Ben Pfaff Nicira Networks, Inc.

fd.io vpp and containers

Instructor Materials Chapter 7: Network Evolution

Troubleshooting a Network

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Semester 4 - Chapter 3 – WAN Design

Chapter 4 Data Link Layer Switching

The NPD Group - Enterprise DC Agenda

Marrying OpenStack and Bare-Metal Cloud

Software Defined Networking (SDN)

Network Virtualization

NTHU CS5421 Cloud Computing

Attilla de Groot | Sr. Systems Engineer, HCIE #3494 | Cumulus Networks

Data Center Traffic Engineering

Presentation transcript:

@projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed 19 th January 2016

@projectcalico The Goal: Hyperscale Efficiency Metaswitch Networks | Proprietary and confidential | © 2014 | 2 The Goal: Hyperscale Efficiency The Goal: Hyperscale Efficiency

@projectcalico Metaswitch Networks | Proprietary and confidential | © 2014 | 3

@projectcalico Virtual Networking Today (VM’s / Containers) Port forwarding / NAT  Simple  Works “out of the box”  Easily understood  … but not “real IP networking”  Won’t work with all applications (e.g. IPsec)  Onerous port assignment constraints on applications  Requires app developers to be aware of constraints  Widely accepted as unsuitable for at-scale deployments Overlay networks  Connect each container to a virtual Layer 2 segment  Separate “overlay” domain over “underlay” network with GRE, MPLS, VXLAN, or proprietary tunneling protocols  But…  Lots of state – 1,000 machines => full mesh of 499,500 tunnels!  Breaking out of virtual network sandboxes requires NAT / router  L2 typically not required today  Requires app developers to be networking experts IP1:80 IP1:8080

@projectcalico They shoulda listened to Einstein… “We tried supporting a bunch of the commercial software-defined networks... The theory was, 'is it just the open vSwitch in Neutron is crap?' – [but] even the commercial ones aren't where they need to be.” – Joshua McKenty, CTO, Piston Cloud

@projectcalico A Glimpse at Overlay Networking Complexity

@projectcalico

An open source project to enable scalable, simple and secure IP networking in a data center / cloud environment What is Calico? SimpleScalableSecure Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Rich micro-service policy framework

@projectcalico What if we built a data center like the internet? IP App IP App IP App IP App IP App IP App IP App IP App Router BGP Hosts

@projectcalico What if we built a data center like the internet? IP App IP App IP App IP App IP App IP App IP App IP App BGP Compute Node VMs / LXCs Router VMs / LXCs … this is Project Calico!

@projectcalico Coarse-grained Policy (network/tenant isolation) Traditional approach: VLANs or mesh of tunnels (separation as by-product) Calico: Just a set of simple policy rules – all workloads in a given “network” just share a tag; all with the same tag are whitelisted, others blacklisted

@projectcalico Fine-grained Policy (micro-service segmentation) Traditional approach: Discrete firewall elements that are a bottleneck and not optimally placed to enforce security (by the time the packet reaches the firewall, it can’t be sure where it came from) Calico: Rich, but simply defined, policy rules Distributed host-based ACL calculation Ingress/egress enforcement in the data-plane pipeline immediately adjacent to each workload

@projectcalico The Distributed Firewall Network Fabric Network Fabric eth0 2001:db8:1234::1:2 Routing eth0 2001:db8:1234::1:3 eth0 2001:db8:1234::1:4 eth0 2001:db8:1234::1:7 eth0 2001:db8:1234::1:6 eth0 2001:db8:1234::1:5 2001:db8:5678::1 2001:db8:5678::2

@projectcalico Project Calico architecture eth0 2001:db8:1234::1:2 eth0 2001:db8:1234::1:4 eth0 2001:db8:1234::1:7 Felix Routes iptables Route Reflector Kernel BIRD

@projectcalico Calico Network Policy Model Workload … Endpoint … Profile … Tag Rules Workload Endpoint Profile container, VM, bare metal (virtual) network interface reusable policy

@projectcalico Life Before and after Calico Before CalicoAfter Calico Scale challenges above few hundred servers / thousands of workloads Scale to millions of workloads with minimal CPU and network overhead Troubleshooting connectivity issues can take hours What is happening is “obvious” – traceroute, ping, etc., work as expected EXIT On/off ramps + NAT to break out of overlay Path from workload to non-virtual device or public internet (or even between data centers) is just a route High availability / load balancing across links requires LB function (virtual or physical) and/or app-specific logic Equal Cost Multi-Path (ECMP) & Anycast just work, enabling scalable resilience and full utilization of physical links CCCC NANA CCNA or equivalent required to understand end-to-end networking, deploy applications Basic IP networking knowledge only required

@projectcalico Get Involved  Main project website:  Github  github.com/projectcalico  Mailing list, Slack info:  projectcalico.org/contact/  freenode IRC: #calico  Download & try it out  We welcome your feedback and contributions  Follow