Nuagevns

SD-WAN / Nuage VNS - Technical Deep
Roman Pindrik
Dive
Nokia ION
RBC
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia

venture.
AGEND
A
 SDN and SD-WAN Concepts

 Virtualized Network Services (VNS) Portfolio
 Overview and Architecture
 Components (VSD, VSC,VRS, Gateways, NSG, VSAP)
 Deployment Models, Key Functionality, and Use
Cases
TTP36009 Nuage Networks Virtualized Network Services (VNS)

Fundamentals
2
NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEEDTO
KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGEND
A

Cases

Fundamentals
3
ENTERPRISE NETWORKING NEEDS A
RETHINK
1. Turn-up a new site

MANUAL 2. Reconfiguration of existing site
3. Transport introduction/upgrades
(TIME ‘DEPENDENT’) 4. L2-L4 VPN service configuration
TRANSPORT
5. Security implementation
DEPENDENT
6. Security assessment
7. L4-L7 application insertion
LOCATIO
N ENTERPRISE WAN 8. Datacenter interconnection
DEPENDENT 9. Operational moves/adds/changes
10.Service assurance/fault localization
DEVICE 11.Service optimization/fault prevention
12.Device replacement
DEPENDENT
13.Configuration auditing/compliance
14. . . .

Fundamentals
4
WHAT IS SD-
WAN?
SD-WAN (Software Defined Wide Area Networks) is a new model for the delivery of
Enterprise services over WAN based on SDN principles
Overlay IT-approach to
offers network
service
transport delivery
choices
SD-WAN promises to shift incremental control to enterprise
IT

Fundamentals
5
IMAGINE
IF…
Automated operations
ANY Network General Purpose
On- ANY hardware
Private Net access New fulfillment models
Cloud
SEAMLESS
on- Internet
boarding
Public
Cloud Enterprise WAN Branch
offices
ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATA CENTER

 Automated
 Instantaneous policy-driven modifications
 Simplified fulfillment and management
 Freedom of choice
 Open

Fundamentals
6
VNS 3.2
Recap
Release 3.2 Open platform Connectivity and Operations Application support
• Q2 2015 • Form factors • Group-key encryption • Dynamic service insertion
– NSG-E (6-port GE UTP) – Integrated key server • Multi-class of service QoS
– NSG-V (KVM and ESX) • Dual uplink support • Address Translation (NAT/PAT)
• Bootstrapping • Internet breakout
– PKI support X.509 certs • NSG HA device/link models
• Dynamic NAT traversal
• Hardware integration
– Trusted platform module Operations
– Crypto engine • Controller-based CLI
acceleration • VSAP integration
• Traffic mirroring
• Controlled NSG local SSH access

Fundamentals
7
VNS Rel4.0R1 – R3
Recap
Release 4.0r1 Open platform Connectivity and Application Support
• Q2 2016
• VLAN on Uplink • VSD License Enhancements
• AWS AMI NSG-V Image • NSG HA device/link • VSD and NSG UI Self Branding
• Auto Config models • PAT Enhancements
(Bootstrapping) • PPPoE on Uplink • Per uplink address translation pool
•• TPM Status
SSH Hardening • NSG onboard BGPv4 • Per uplink NAT-T flag
• CE-PE
• IPSec (IPoESP) IKEv1 v2
• Passwordless Login SSH keys
(phase1) • “Start:Stop” Address Translation
• CE-CPE
• Configuration Support Pool range definition
Operations • Static port forwarding
for limiting Access
• Controller-less Operations (Phase1) for incoming traffic

Fundamentals
8
PROMISE OF SD-WAN: YOUR WAN ON YOUR
TERMS
Centralized Management
And Network Policy
Engine
Software Defined Wide Area

Network
Business
IP-VPN L2-VPN Private Internet
IP Internet
Fixed and Access

Mobile Networks
Branch locations

Fundamentals
9
VNS: A NEW TYPE OF
VPN

Fundamentals
10
OVERLAY NETWORKS: DECOUPLING SERVICE AND
TRANSPORT
 VNS is an SDN overlay solution

 VSC programs data plane for all NSGs
 Aware of all L2/L3 topology behind each
NSG
 Calculate once, program many
 CPE becomes service instantiation
point
 Smart edge principle
 VXLAN/VXLAN-IPsec service transport
 Full mesh capability
 Traffic is carried encapsulated over
underlay network
 Underlay network could be any
infrastructure
 Unaware of topology of
overlay service
 Simplifies and enables service
chaining
 Networks
TTP36009 Nuage New service
Virtualizedintroduction
Network Services (VNS)
Fundamentals
11
OVERLAY
SOLUTIONS
 To address the requirements in the previous slides, VNS uses a VXLAN based overlay solution.
 An overlay network is a virtual abstraction (L2 or L3 service) built on top of an existing physical
network.
 Overlay solutions fall under two main categories:
Network-centric Host-centric
overlays overlays
 Examples: VPLS, PBB-VPLS, SPBM, TRILL  Examples: VXLAN, NV-GRE, STT, etc.
 Diminishing popularity due to one or more  Increasing popularity due to one or more
of:
 MAC address, VLAN scaling of:
 Automated and simple VM provisioning
 STP dependency, flooding limitations  VM mobility
 Hardware/software requirements  Scaled multi-tenancy
 Standards compatibility

Fundamentals
12
INFRASTRUCTURE (UNDERLAY)
NETWORK
 Physical IP network
 Provides connectivity between IP
routers and connected edge
devices
 Routing tables set up using OSPF,
ISIS, BGP, static routes
 Can provide other IP services. For
example:
 QoS
 Multicast
 ECMP
 VXLAN (or any other overlay
protocol) is encapsulated in IP
packets and carried over the
IP underlay

Fundamentals
13
OVERLAY
NETWORK
 An overlay network is a separate network built on top of an existing infrastructure (underlay)

network
 Simplifies provisioning because the underlay does not change
 Overlay traffic is ‘tunneled’ over the underlay network
Fundamentals
14
VXLAN/EVPN OVERLAY VS. MPLS-BASED
VPN
 Overlay networks are not new: Layer 2 and Layer 3 VPNs have been implemented in
IP/MPLS networks to connect customer sites in an isolated and scalable manner for many
years
Fundamentals
15
VXLAN
ENCAPSULATION
VXLAN (virtual extensible LAN) characteristics:
 Defined in IETF RFC 7348

 Provides Layer 2 overlay networks over an Layer 3 network
 Allows for 16 million tenant ID’s as opposed to 4 thousand VLAN’s
 Inherent load balancing support in the DC network through ECMP using UDP source port
hashing
 Tunnel encapsulation/decapsulation performed by VTEP (virtual tunnel endpoint) capable
devices
 Most server NIC vendors and DC vendors have announced support for VXLAN

Fundamentals
16
VXLAN PACKET
FORMAT

Fundamentals
17
VXLAN TRAFFIC FLOW
EXAMPLE

Fundamentals
18
SDN CONTROLLER
AUTOMATION AND FLEXIBILITY THROUGH CENTRAL CONTROL
SDN controller:
 Communicates with the NSG using OpenFlow protocol
 MAC/IP address learning on LAN ports are alerted to the
controller
 Loads the forwarding information to all the NSGs
Fundamentals
19
VNS: SD-WAN VXLAN-BASED
VPN
 Control plane
 OpenFlow and BGP EVPN
 Data plane
 VXLAN
 NSGs forward directly
between each other using
VXLAN as overlay
 Underlay network
 VXLAN traffic (IP packets)
between endpoints
 Data plane can be
further encapsulated if
needed

Fundamentals
20
AGEND
A

Cases

Fundamentals
21
VNSARCHITECTURAL REPRESENTATION
Virtualized Services Directory INTIENRETNE

MP-BGP T
(VSD)
RR
MP-BGP MP-BGP MP-BGP
Virtualized Services Controller

(VSC)
Secured Secured
channels channels
Branch
Hypervisor INTEIRPN
Hypervisor
ET Hypervisor
VM VM
Hypervisor

Fundamentals
22
VSP/VNS: A UNIFIED SDN
SOLUTION

Fundamentals
23
NUAGE NETWORKS VIRTUALIZED SERVICES PLATFORM
(VSP)
OSS / ORCHESTRATION
Nuage Networks
5620 SAM Virtualized Services Platform (VSP)
with VSAP
REST
Virtualized
Services
Directory SNMP
Virtualized Services Directory (VSD)
Management Plane
• Network Policy Engine – abstracts complexity
XMPP 7x50 • Service templates and analytics
MP-BGP DC Gateway
MP-BGP
Virtualized
Services Virtualized Services Controller (VSC)
Controller • SDN Controller, programs the network
MP-BGP
Control Plane MP-BGP • Rich routing feature set
XMPP OF
OF-TLS
IP Fabric VXLAN
Virtual Routing & Switching (VRS)
WAN/INT • Distributed switch / router – L2-4 rules
OVSDB
7850 VSG
• Integration of bare metal assets
Port / 3PP ToR Port /
VXLAN(oIPSec)
VLAN
VMs
VLAN Network Services Gateway (NSG)
Virtual • Network service platform for branches
Containers •
Routing & Network L2-L4 Switching/routing w/advanced network functions
Switching Services
BMS • Physical or Virtual form-factors
Data Plane Gateway
Datacenter SDN SDWAN

Fundamentals
24
PLACEMENT OF VNS AND VSP
COMPONENTS
 Management Plane: VSD

 Programmable policy engine
 Northbound interface
 Cloud management systems (example: OpenStack)
 Dedicated self-service portals
 Control Plane: VSC

 Provides routing and switching controls
 For virtual machines in a datacenter (VSP)
 For branch hosts/devices (VNS)
 Data Plane:
 VRS, VRS-G, VSG (for VSP)
 NSG (for VNS)

Fundamentals
25
AGENDA
 Nuage Networks Certification Training

Cases

Fundamentals
26
NUAGE VNS CORE COMPONENTS AND
INTERFACES
Trusted Control SSH to VSC
Infrastructure assumed over
MPLS VSD
VSAP Mgmt
VSD VSD VSD-
N interface
OSS
Untrusted RR PE
NSG-V/BR
Internet
VS VS NTP Utility DNS

C C
NSG
DMZ
ENT
FW
XMPP/XMPP-TLS TCP 5222 (VSC/Utils- Stats - TCP 39090
>VSD)
SNMP UDP 161 (from SAM)/162(to NTP - UDP 123
BGP TCP dPort 179, sPort
1023 HTTPS TCP SAM) RPC/Nuagemon - TCP 7407 (NSG- (NSG-
11443/12443 HTTPS TCP >VSC) OF-TLS TCP 6633 (NSG-VSC) >VSC, VSC->NTP)
TTP36009 Nuage 7443Networks Virtualized Network Services (VNS) DNS – UDP 53
Fundamentals DTLS UDP 4500 4789 NSG-
27 >VSC
VIRTUALIZED SERVICES DIRECTORY
(VSD)

Fundamentals
28
VSD CLUSTER
DEPLOYMENT

Fundamentals
29
VSD SERVICE
ABSTRACTIONS
 Domain
 Equivalent to a single Nuage Networks dVRS instance
 In standard networking terminology, a domain maps to
a VRF instance
 A logical distributed router that enables L2 and L3
communication
 Zone
 A set of network endpoints that must adhere to the
same security policies
 Subnet
 In standard networking terminology, a subnet
is instantiated as a R-VPLS instance
 vPort
 Can be explicitly created or auto-discovered
 Attached to VMs, host and bridge interfaces which
are mapped to NSG access ports

Fundamentals
30
VSD MULTI-TENANT
ARCHITECTURE
 Cloud service provider administrator (csproot) can create different enterprise definitions for each
tenant.
 Each tenant can create their own user groups, domains and policies on the VSD.
Fundamentals
31
SELF-SERVICE NETWORK SERVICE
DELIVERY
Customer
Portal
Select VNS Service

Order Branch Equipment
Public Private
clouds clouds Network Services Catalogue

Customer A - Software Defined Network Service
The new operational model

Business
IP-VPN L2-VPN Private IP
Interne
Internet  Users can turn up new services on demand
t
Fixed and Mobile Access Networks  Non-specialized personnel can turn up a site in
10 minutes or less

Fundamentals
32
VIRTUALIZED SERVICES CONTROLLER
(VSC)

Fundamentals
33
VIRTUALROUTING AND SWITCHING
(VRS)

Fundamentals
34
VRS
COMPONENTS
 The VRS consists of two main components:
 The VRS Agent

Nuage Networks-specific component that talks to
the VSC using OpenFlow.
 The Open vSwitch (OVS)

Provides the switching and routing components, as
well as the tunneling mechanisms to forward the
traffic.

Fundamentals
35
VRS
AGENT
 Nuage Networks-specific component that talks to the VSC using OpenFlow

 Responsible for receiving and programming the actual L2 and L3 FIBs to
allow
communication:
 Between local VMs
 Between local VMs and remove hosts using tunnels
 Replies to all ARP requests (no flooding)
 Acts as a DHCP proxy server for the VMs
 Reports VM events to the VSC
 Downloads QoS policies and ACLs for VM traffic
 Handles statistics collection and reporting

Fundamentals
36
VXLAN GATEWAYS: SOFTWARE OR HARDWARE
Software
 VRS-G is a VM
 Or runs on a x86 server
Hardware
 7850 VSG
 960 Gbps capacity
 32 x 10G + 16 x 40G
 VXLAN encapsulation at line rate
Both:
 Control plane is integrated with
VSC/VSD for automated VLAN/VXLAN
mappings
 L2 and L3 capable

Fundamentals
37
VIRTUALROUTING AND SWITCHING GATEWAY
(VRSG)

Fundamentals
38
NETWORK SERVICES GATEWAY
(NSG)

Fundamentals
39
NETWORK SERVICES GATEWAY
(NSG)
• Network Services Gateway is the VNS service delivery point for IP
networking
- Logical entity with physical and virtual appliances
- Flexible physical form factors to meet different on-premises
requirements
- VM edition to support cloud CPE environments
- Centrally managed through VSP environment as a fully 7850 NSG-E
automated
endpoint
• Intel X86
based
- Leverage off-
the-shelf
hardware
components
- Intel
QuickAssist
and AES-NI
for
encryption
Fundamentals
40 and
forwarding
NSG INSTANTIATION (ENTERPRISE
LEVEL)

Fundamentals
41
NSG INSTANTIATION (ENTERPRISE
LEVEL)

Fundamentals
42
USING THE
NSG

Fundamentals
43
VNS 3.2
Recap
Release 3.2 Open platform Connectivity and Operations Application support
• Q2 2015 • Form factors • Group-key encryption • Dynamic service insertion
– NSG-E (6-port GE UTP) – Integrated key server • Multi-class of service QoS
– NSG-V (KVM and ESX) • Dual uplink support • Address Translation (NAT/PAT)
• Bootstrapping • Internet breakout
– PKI support X.509 certs • NSG HA device/link models
• Dynamic NAT traversal
• Hardware integration
– Trusted platform module Operations
– Crypto engine • Controller-based CLI
acceleration • VSAP integration
• Traffic mirroring
• Controlled NSG local SSH access

Fundamentals
44
VNS Rel4.0R1 – R3
Recap
Release 4.0r1 Open platform Connectivity and Application Support
• Q2 2016
• VLAN on Uplink • VSD License Enhancements
• AWS AMI NSG-V Image • NSG HA device/link • VSD and NSG UI Self Branding
• Auto Config models • PAT Enhancements
(Bootstrapping) • PPPoE on Uplink • Per uplink address translation pool
•• TPM Status
SSH Hardening • NSG onboard BGPv4 • Per uplink NAT-T flag
• CE-PE
• IPSec (IPoESP) IKEv1 v2
• Passwordless Login SSH keys
(phase1) • “Start:Stop” Address Translation
• CE-CPE
• Configuration Support Pool range definition
Operations • Static port forwarding
for limiting Access
• Controller-less Operations (Phase1) for incoming traffic

Fundamentals
45
VNS Application Aware Routing
(AAR)
Application Discovery (AD)
• Monitoring and classification of application traffic coming into the access ports of a NSG
• Signature-based L7 classification (e.g. Skype, Facebook, Google, etc). A library with signatures
is bundled with the NSG software
• Customized classification based on source/destination IP address, source/destination L4 ports,
L4 Protocol (TCP/UDP)
Network Performance Measurement (NPM)
• Health metrics of overlay network connections between NSGs in a domain using performance
monitors with a specified network profile (DSCP value, payload size, traffic rate).
• Performance metrics include one way packet loss, jitter and latency between the uplinks
of different NSGs
Application Policy and Visualization (APV)
• Policy-driven intelligent path selection for application traffic based on one way latency, jitter
and packet loss measurements
• Path selection based on continuous probes and/or first packet detection
• Improve scalability with first packet detection

Fundamentals
46
Combining VNS application
capabilities Network Performance Application Policy and
Application Discovery Visualization
+
Measurement
+
• The intelligent forwarding of application traffic across the Enterprise WAN,
ensuring that pre-defined per-application performance metrics (i.e. SLAs) are persistently
met
AD + NPM + APV 2
Measure path performance
= metrics over both uplinks
Site 1
Site 2
Voice Video
Voice Video Email NSG-BR Email Voice Video
1 3 Email
Path 1 – low
Identify the Video Conferencing Steer Video Conferencing application
application flow to known flows over a SLA-compliant path latency/variation/loss Path 2 –
destination, NSG at Site 2 higher latency
Performance Measurement per Path – Delay, Delay Variation, Loss,
BW

Fundamentals
47
AAR Specifics
• Probe user defined Payload, Rate, FC.

• Encapsulation of Probe is with VXLAN header (no Encryption)
• Default Probe is set with an MTU of 512B, rate is 1 packet every 10 secs with Best Effort Forwarding class
(these values can be modified if needed).
• Lowest enforced limit today is 10 probes per second (100mSec).
• For APV related probes, there is an idle timeout of 150 seconds after which the probe session
is terminated - for 1st pkt.
• NPM probe results are reported via stats channel
• Dampening Hard Coded to 30 Seconds today
• Sampling frequency - Packet Loss, every 3 times probe sample. So probe Interval 1/sec,
packet loss
calculated every 3 secs (3 x Probe Interval).
• Sampling Frequency - Jitter/Delay, every packet.

Fundamentals
48
AAR Visualization – Enterprise Top 5 APM groups
Accessed via Organization >

Stats
Graphical Representation:
• Applications identified ranked by Total
Bytes

Fundamentals
49
AAR Visualization – Enterprise Top 10 Applications
Accessed via Organization > Stats

Fields Reported:
• Domain
• APM Group
• Application
• L7 Classification
• Sum of Total MB
Note: Statistics can be exported Raw or Formatted

(csv)

Fundamentals
50
AAR Visualization: Applications – NSG Bytes
Accessed via Organization > Domain >

Infra
Graphical Representation:
• Applications identified ranked by Total
Bytes

Fundamentals
51
NSG Border Router (NSG-
BR)
• Problem statement
Service overlay
- DC connectivity (trusted underlay) to the NSG-1 VRS-1
IPsec encrypted branch offices NSG-BR
(untrusted underlay)
VXLANoIPsec VXLAN
- Book-end underlays with NSG or use
IKEv2
- VLAN hand off to PE, VRS-G and/or NSG NSG-2 WAN DC NSG-3
• NSG Border Router

- Logical function only • Function:
- Support on NSG-X and NSG-V - Allow underlay next-hop addresses (VTEP addresses)
to use non-globally routable IP addresses, i.e. to
- Egress tunnel shaping
allow for underlay addresses not to be leaked
- Unified policy from SD WAN to DC between the data-centre and wide-area
- Demarcation point between underlays environments
Active-active – ECMP
- Multi-tenancy NSG-BR – Active-standby – Priority Groups
resiliency

Fundamentals
52
NSG-BR – Border
Port
NP1 BRP1
▪ Border Router Port
NP2
NSG-BR
▪ New port type
▪ DC underlay IP
interface
link
▪▪ VLAN
VXLAN+ Static IP Branch Branch Domain DC Domain DC
▪ vPort vPort
vPort/VLAN/BGP NSG-1 lin VRS-1
▪ Multi-Tenant k
NP1 BRP
NP2 NSG-BR
NSG-2 VRS-2
VXLANoIPsec
VXLAN VXLAN
NP Network Port WAN DC

BRP Border Router Port

Fundamentals
53
PAT to Overlay
Distributed PAT – Remote
PAT PAT Pool
Domain IP1-IPn
▪ Distributed PAT
PAT
▪ Multiple PAT Pools IP1/32
SUB1 SUB1
▪ Routable in destination domain NSG NSG
▪ Assign IP per NSG in Source domain PAT
▪ Pool address management by VSD IP2/32
SUB2
▪ Local and Remote Shared domain NSG
▪ Use Case: hosted service, B2B PAT SUB2
SUB3 IP3/32 NSG
SUB4 NSG
Source Shared
Domain1
Domain

Fundamentals
54
PAT to Overlay
Distributed PAT – Local Domain
PAT PAT Pool
▪ Shared Domain subnets exists local on the IP1-IPn
NSG
PAT
▪ Use case local shared resource (e.g. Printer) IP1/32
SUB
SUB1
1
NSG
PAT
IP2/32
SUB
SUB2
2
NSG
PAT
SUB3 IP3/32
SUB
SUB4 NSG
3
Source Shared
Domain1
Domain

Fundamentals
55
PAT to Overlay
Topologies
PAT
Pool
▪ PAT
Multiple Source domains IP1-IP5
Source Shared
▪ Overlapping IP addressing vPort
Domain 1
▪ Source domain addressing Domain
PAT PAT
▪ Source and PAT pool Pool
Source IP6-IPn
addressing vPort
Domain 2
PAT
Pool
PAT
▪ Multiple Destination domains IP1-IP5
vPort Source Shared
▪ NOT Supported Domain 1 Domain 1
PAT PAT
Pool
IP6-IPn Shared
Domain 2

Fundamentals
56
HEADLESS FORWARDING (Controller-Less
Operation)
VSD Definition: NSG in
(Policy)
“Headless Mode”
HTTPS  Defined as an NSG that has no
(via Proxy) control plane connectivity to
XMPP-
any VSC
VSC UNDERLAY-1
TLS
UNDERLAY-2  Special Case: NSG loses all
(Control connectivity to the Key Server
) (VSD)
BGP BGP Failure Detection:
 OF-TLS timeout (3x5s)
BR
 IPsec Key Update Miss
OF-TLS
Data Plane:
 IPSec or
NSG VXLAN
(Data
LAN LAN LAN (VIP)
)
SINGLE UPLINK DUAL UPLINK DUAL UPLINK WITH REDUNDANT
GROUP

Fundamentals
57
Hybrid WAN – Disjoint Underlay Solution
• Typical use case driving the adoption of SD WAN technology

• Way to connect a geographically dispersed WAN over 2 or more separate network connections at
a customer site
• Typically Business Internet type connectivity. The other a private MPLS based VPN service.
• Mandatory dynamic path selection for specific applications/application groups across
‘disjoint transport/underlay networks’
• Site to Site connectivity for Branches
• Single connection to either the Internet or the Private MPLS based VPN
• Dual homed sites to both underlays
• Resilience in the event of loss of one of the network uplinks.
By using this approach, a hybrid WAN can give organizations a more versatile and cost-effective
way to connect their offices while still relying on dedicated links to send mission-critical data and
provide secure network resilience.

Fundamentals
58
Private IP Addressing (Overlapping)
VNS Topologies Supported Public IP Addressing
SD WAN Overlay Service
Site 2
Site 1
Site 1
Site 2
MPLS Interne
VPN t
Private Network – Overlay Internet – Overlay
Service Service
MPLS CE
MPLS MPLS VPN

BGP Multi-tenant
VPN
Site 2
Site 2
Site 1
Site 1
NSG-BR
NSG-BR
Interne
Internet t
Hybrid WAN – Overlay Service MPLS VPN Inter-Working

Fundamentals
59
MULTI-TENANT DISJOINT
HA Proxy
UNDERLA YS
Separate Routing
U1-1
Context U1-2
U1-3
 BR:
NH Context per underlay to C1-1 VSC
avoid overlapping IP addresses
 Multi-tenant Routing table per
C1-2
customer U1-1
 HA Proxy: S1 NSG-c1 C1-3
 NH Context per underlay Underlay-1
 Single DNS name and globally U1-2 Internet B1-1
unique IP address is used for the
proxy across all underlays with no B1-2 uBR-1
overlaps
 VSC: B1-3
 Multi-interface VSC using ESXi/trunk Underlay-2
VLAN/BGP
ports VRF-cust1 B2-1 per Tenant
 Support 100 interfaces/VSC
(Target) U2-1
B2-2 uBR-2
The Hybrid WAN use case must be able to support
S1
NSG-cX
connectivity to sites whose NSGs are only connected to B2-3
either uplink but not both. It should also support the U2-2
case where the connection to transport “A” fails at one Underlay-X VLAN/BGP
per Tenant
site and the connection to transport “B” fails at the VRF-
other site. custX

Fundamentals
60
NSG-BR/DISJOINT UNDERLAY • Base Principle: Logical Representation – Route
Connector
Prefix
S1
NH-ID
local
Table
S1->S2 via underlay-1 NHU2-
S2 NSG-2
S3 NSG-3
Routing Table 1 S1->S3 via BR-1 or BR-2
S4 BR-1
BR-2 NSG-1 S1->S4 via BR-1 or BR-2
Default NSG-2 S1-> default via underlay-1 VSC-1
NH-ID NH tag NH U2-1
NSG- U2-1 Underlay-1/Pref1 U1-1
2 (B1- Underlay-1/Pref lowest) S1 NSG-1
1 Underlay-1/pref Underlay-1
NSG-3 (B2-1 lowest)
B1-1 Underlay-1/Pref lowest B1-1
BR-1 B2-1 Underlay-1/Pref lowest
BR- B1-1 Underlay-1/pref lowest U2-1 VSC-2
2 B2-1 Underlay-1/Pref lowest B1-2 uBR-1
Prefix NH-ID S2 +
NSG-2
S1 BR-1 Default
BR-2 U2-2 B1-3
S2 NSG-2 Underlay-2 S4
S3 local
S4 BR-1 B2-1
Routing Table
BR-2
Default NSG-2
NSG-3 U3-2
VSC-3 B2-2 uBR-2
NH-ID NH tag S3 NSG-3
NSG-2 U2-2 Underlay-2/Pref 2
(B1-2 Underlay-2/Pref lowest)
U3-3 B2-3
(B2-2 underlay-2/Pref lowest) S3->S1 via BR-1 or BR-2 Underlay-3
BR-1 B1-2 Underlay-2/Pref
lowest B1-3
S3->S2 via underlay-2 NH U2-
BR-2 Underlay-3/Pref lowest B2-2 2 S3->S4 via BR-1 or BR-2
Underlay-2/Pref S3-> default via underlay-2 NH
lowest B2-3
Underlay-3/Pref lowest
U2-2

Fundamentals
61
NSG-uBR Phase 1 – Path
Preference
Path Preference
• uBR as Last resort only
• Path to NSG via direct attached underlays always
preferred U1-1
NSG-1
Underlay-1
Always 1. B1-1
preferred U2-1
B1-2 uBR-1
NSG-2
U2-2 B1-3
Underlay-2
B2-1
U3-2
B2-2 uBR-2
NSG-3
B2-3
U3-3
Underlay-3

Fundamentals
62
Planned
VNS HW Family – expanding SD-WAN deployment Use
Available
cases USE CASE/DELPOY
LOCATIONS
Planned 1H 2016
Clou NSG-
d PoP & DC AM I NSG-v
Large Launched Dec NSG-X / BR
2014
Branch, Planned Planned Oct
HQ 2017 2016
Medium
NSG-
Branch,
L
&
M ediu
LAN NSG-
m
Branc F
NSG-E Planned
Small Branch
h 2017
& LAN Launched Sept
2015
Small Branch
(Soho NSG-C
) Planned Q4
IoT 2016
10M B 100M 500M 1G 2G 5G 10G >10 Throughput

< B B G

Fundamentals
63
7850 Network Services
Gateways
Cloud S/M Branch Sites M/L Branch Sites / DC

NSG-V NSG-C NSG-E NSG-F* NSG-X
• NSG-V KVM Image • Intel Atom-based (2C) • Intel Atom-based (2C) • Intel Xeon D (4C) • Intel Xeon D (8C)
• NSG-V ESXi Image • 3 x 10/100/1000 BASE-T • 6x 10/100/1000BASE-T • 4x 10/100/1000BASE-T • 2x 10GBASE-x SFP+ WAN
• NSG-V Amazon Machine • 2GB RAM • Trusted Platform Module • 2x 1000BASE-x SFP • 4+4 x 1000BASE-(T/SFP)
Image (AMI) • 16GB Primary Storage • Compact Flash storage • 16GB RAM • 32G RAM
• NSG-V Azure* • Trusted Platform Module • 1X AC PSU • 32GB Primary Storage • 32G Primary Storage
• 1X AC PSU • 2X USB • Trusted Platform • Trusted Platform Module
• 2X USB • 1X RJ45 Serial Console • 64GB SSD Secondary • 256GB SSD Secondary
• 1X RJ45 Serial Console Storage Storage
• 2X AC PSU • 2X AC PSU
• 2X USB3.0 • 2X USB3.0
• 1X RJ45 Serial • 1X RJ45 Serial
Console Console
* Roadmap features NFV Capable

Fundamentals
64
NSG-X –
Specification
Slot for
▪ Intel Xeon D-1548 8C, 2.0
Console 2x10GbE 4x1Gb 4x1Gb future
GHz, 12MB Cache E E capabilities
▪ 2x 10GBASE-x SFP+ WAN 2xUS
▪ 4+4 x 1000BASE-(T/SFP) B
▪ Intel DH89xx Quick Assist
▪ 32GB RAM
▪ Primary Storage 32GB (m.2)
▪ Secondary Storage 256GB
SSD
▪ TPM
▪ 2X AC PSU
▪ 2X USB (3.0)
▪ 1X RJ45 Serial Console
Intel QuickAssist 3xFan PSU Alarm 2xPSU

suppressio
n

Fundamentals
65
NSG-
C
▪ 4.0.R4 PoC support – Prototypes available
▪ 4.0.R6 Software Support
▪ End of November – Hardware availability –
CP(DR4)
▪ Specification
▪ Intel Atom based
▪ BayTrail E3825 2C,
1.33GHz
▪ 3 x 10/100/1000BASE-T
▪ 2GB RAM
▪ 16GB mSATA MLC
▪ TPM
▪ Fanless
▪ 1X AC PSU 3x1000BASE-T USB2.
▪ 2X USB (2.0 and 3.0)
▪ 1X RJ45 Serial Console
1xUSB3.0 0 Serial
Soft Reset Console

Fundamentals
66
VNS 5.0 BIG ROCKS (2017 – EARLY
PREVIEW) ENTERPRISE
DATA
CENTER
NSG-CPE NSG-HUB
CPE Access / WAN WAN Core DC Edge

Edge (Public/Private)
• 4G/LTE WAN Uplink • IPv6 Underlay Support • NSG Border Router+
• Dongle / Embedded* • IPv6 Overlay Support • NSG Disjoint Underlay+
• External Antenna • Multiple VLANs on Uplinks • Public Cloud (AWS
• VNFs on NSG (Thick CPE) • NAT-T Enhancements Marketplace, Azure)
• Single VNF: Firewall / WAN • Multicast (IGMP Overlay)
Acceleration (initial target) • …
• Integrated WiFi (NSG-E)
• OSPF on Access
* TBC
PERFORMANCE / SCALE / SECURITY HARDWARE EVOLUTION

Fundamentals
67
3G / 4G LTE – PLANS – EARLY
INVESTIGATION
Q4 2016 1H 2017
• Demo / Limited Availability • GA Availability

• Dongle Based Integration • Customer Managed Procurement,
• Customer Specific Dongle Activation & Support
Validation • Dongle Based Support
• Features • Features
• 1+1 Uplink Support (1LTE, • 1 LTE Uplink Only or 1+1
1WAN) • Circuit of Last Resort (2+1)*
• Minimal VSD Integration
*Stretch

Fundamentals
68
VNFs on NSG (VAS) – EARLY
INVESTIGATION
Goals: Phase I Plan (1H 2017):
• Support VM & Container FF VNFs • VNF Selection – VM FF / Virtual FW (TBD)
• Virtual FW, WAN Optimization • VNF Life Cycle Management
• Single vNF Phase1 • Image Mgmt, Resource Mgmt, Scheduler
• Minimal (common) workflow for VM & • CloudInit / Blob-based Initialization (license
Containers managed via VSD management, management IP)
1.
VNF Life Cycle Management • Heath-checks and Reporting
2.
Service Insertion/Extensibility • L2 Service Insertion
Framework • Single VNF in Service Chain
3. VNF Initialization & • Access side / Transparent service
Configuration (bump in the wire)
• 4. OAM
Support L2/ &
VNFL3orServices
SVC Health • Symmetric Services
• Check
HW: NSG-X or NSG-F • Basic Failover Detection
• HW: NSG-X

Fundamentals
69
AGEND
A

Cases

Fundamentals
70
AUTOMATION AND FLEXIBILITY VIA CENTRAL CONTROL OF OVERLAY VPN
SERVICES
• OpenFlow provides a mechanism to program the BGP

L2/L3 forwarding information base (FIB) and VSC EVPN
provide notifications to the controller

- MAC/IP address learning on LAN ports are alerted to
OpenFlow
the controller 192.0.2.1 192.0.2.3
OVSDB
- Controller determines whether the MAC/IP is to be NSG
programmed into FIB
• Federation of topology between controllers via
BGP-EVPN
- MAC and IP reachability signaled
- VXLAN VNI information combined with 10.2.0.0/24
10.1.0.0/24 10.3.0.0/24
NEXT_HOP 10.2.0.1/32 aa:bb:cc:dd:ee:ff
- Interworking with IP/MPLS environments

Fundamentals
71
OVERLAY VPN
SERVICES
• A new way of delivering VPNs

• CPE forward directly between each other using VXLAN
as overlay
- 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI 123456
- 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI xyz
• Underlay network sees only outer header IP/UDP traffic
OverUlany
between endpoints
derlaOyverlay
- Inner Ethernet header encapsulated with VXLAN header
- Traffic management = IP
- Transport = IP
• Simplifies service chaining
• Dataplane can be further encapsulated if needed

Fundamentals
72
MANAGED ROUTER
SERVICE
• Re-think of existing MRS products to solve problems: Customer

Portal
- CPE management and lifecycle
- CPE cost and performance
- Customer self care
- Basis for enabling Value Added Services
• Multi-tenanted VSP allows customers to self-manage
their network and CPE
- VSD Architect or customer portal interface
- VSC is VPRN-aware and exists in multiple transport VPRNs
- NSG can operate in IP-mode or Overlay-mode IP-VPN
• Centralized VSP infrastructure with redundancy
- Distribute VSCs to multiple POPs
- Solved: CPE configuration management, time-to-implement
- Improves: CPE replacement, reduces truck-rolls
- Supports: vCPE/vCE architecture

Fundamentals
73
IPSEC OVERLAY DATA-
PLANE
• Single-click to enable IPsec dataplane
• Hub-and-spoke (IKEv2) and/or full-mesh (Key-Server)
• Separation of key-computation from symmetric key-generation allows for fine-grained rekeying
• Maintains service and transport separation thus maintaining service attributes VSD: Key-server and
PKI
• Per Tenant, Per-subnet encrypted forwarding flexibility
VSC: Re-keying and
• IPsec Forwarding acceleration in NSG platform device authentication
• Support for dynamic NAT-T
• Sequence-based anti-replay
• Multi-tenanted Key-server as part of unified policy (VSD)
• Integrated PKI and device infrastructure provisioning OverUlany
• Includes automation of all machinery: derlaOyverlay
- PKI for certificate management
- IPSEC infrastructure provisioning
- Security policies definition and distribution
- Revocation logic
- Visibility and monitoring

Fundamentals
74
DUAL UPLINK AND TRAFFIC
STEERING
Enterprise
VS
ECMP across both links admin
D
Intelligent Traffic Steering VS
C
Voic
e
Private Data
NS Center (or
Site IP/ MPLS WAN
G HQ)
1 (Provider Network)
Vide
o
Public Cloud,
SaaS
NS
Site G Internet (3G/LTE, BB, etc.)
2

Fundamentals
75
DUAL UPLINK AND
FAILOVER
Enterprise
VS
ECMP across both links admin
D
Intelligent Traffic Steering VS
C
Seamless Backup
Voic
e
NS
X Private Data
Center (or
Site IP/ MPLS WAN
G HQ)
1 (Provider Network)
Vide
o
Public Cloud,
SaaS
NS
Site G Internet (3G/LTE, BB, etc.)
2

Fundamentals
76
APPLICATION AWARE
ROUTING
• Objective: Dynamically forward traffic to  Policies configured in VSD

NSG network uplinks based on one-way  Application-Groups, Applications,
measurement of overlay Application Probes, Application
SLAs
- DPI based application classification
- OWAMP based synthetic traffic measurements  Probe measurements can be
triggered based on ToD or packet-
- Measure symmetric paths (not cross paths) detection
- Compare results to per application SLA
 Attached to vPort to enable feature
- Pick conforming path
Voice Video
Site 2
Site 1
IPVPN
Voice Video Email NSG NSG Email Voice Video

Email
Internet
Application
Aware
Routing
Performance Measurement per Path – Delay, Delay Variation, Loss, BW
Path 1 – low latency/variation/loss

Path 2 – higher latency
Fundamentals
77
APPLICATION AWARE
ROUTING
PROBES/RESPONDERS
Full- Hub-
mesh Spoke
Shadow-responder
NSG
NSG-E or BYOD
NSG-X
NSG NSG
OWAMP probe
NSG NSG
NSG NSG-E NSG-C NSG-F
R4.0R4 GA Subsequent releases
Third- Server
party application Eg. www.google.com
responder 7750 SR
IP RTT probe
NSG
TWAMP RTT probe
Any-IP responder
NSG NSG NSG Subsequent releases Subsequent releases

Fundamentals
78
APPLICATION AWARE
ROUTING
USE CASES
I would like to discover which applicationsare running at my ToDscheduled monitoring – known applications/knownsubset of sites
site
Unknown apps Known apps Known apps
NS
NSG NSG NSG
G
Discovery mode PPS mode PPS mode
e.g. - Detect branch applications e.g. - Video conference meeting
I would like to monitor custom apps independent of Known applications/unknown sites – 1st packet
destination trigger
Custom apps Unknown Known apps Known apps
destinations
NSG X NSG NS
X
G
PPS mode PPS mode PPS mode
e.g. - Enterprise in-house developed applications e.g. - VoIP call between users

Fundamentals
79
THANK YOU

Nuagevns

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nuagevns

Uploaded by

Copyright:

Available Formats

SD-WAN / Nuage VNS - Technical Deep

© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia

 SDN and SD-WAN Concepts

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 SDN and SD-WAN Concepts

TTP36009 Nuage Networks Virtualized Network Services (VNS)

1. Turn-up a new site

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATA CENTER

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

Software Defined Wide Area

Fixed and Access

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 VNS is an SDN overlay solution

 Overlay solutions fall under two main categories:

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 An overlay network is a separate network built on top of an existing infrastructure (underlay)

VXLAN (virtual extensible LAN) characteristics:

 Defined in IETF RFC 7348

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 SDN and SD-WAN Concepts

TTP36009 Nuage Networks Virtualized Network Services (VNS)

Virtualized Services Directory INTIENRETNE

MP-BGP MP-BGP MP-BGP

Virtualized Services Controller

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

Datacenter SDN SDWAN

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 Management Plane: VSD

 Control Plane: VSC

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 Nuage Networks Certification Training

TTP36009 Nuage Networks Virtualized Network Services (VNS)

VS VS NTP Utility DNS

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

Select VNS Service

clouds clouds Network Services Catalogue

The new operational model

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 The VRS consists of two main components:

 The VRS Agent

 The Open vSwitch (OVS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

 Nuage Networks-specific component that talks to the VSC using OpenFlow

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)

TTP36009 Nuage Networks Virtualized Network Services (VNS)