Brocade-openlab-day-SDN-overviewx

Download Report

Transcript Brocade-openlab-day-SDN-overviewx

Brocade Software Networking
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
2
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
3
An Industry in Transition
7B
3rd Platform
2B
Internet
Users
Cloud
Mobile
“Digital business”
Social
Data Analytics
IT Relevance
1B
Web
sites
2015
<100M
Mobile devices
2nd Platform
2700
Websites
16M
Client-Server
Internet
Users
Gap
Expectations
Mobile
devices
Delivery
LAN/WAN ,Internet & IP Networks
1995
1st Platform
1975
Mainframes, PCs
SNA Arch, Private Lines
4
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC.
What the 3rd Platform Looks Like
Closed
Proprietary HW
Proprietary OS
Proprietary Apps
Reactive
Isolated elements
Manual
High cost
Slow innovation
New IP
7B
2B
Internet
Users
3rd Platform
Cloud
Mobile
“Digital business”
Social
Data Analytics
1B
Web
sites
Orch
Delivery
Open
Commodity HW
Open Source OS
Interoperable Apps
Proactive
Integrated system
Automated
Low cost
Rapid innovation
Overlay
NFV
IT Relevance
Gap
Expectations
Mobile
devices
To
From
SDN
Underlay
Fabrics
Edge
Compute
Storage
Networking
5
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC
New IP—Transformation of the Network
A Customer Driven Disruption
The New Vision
How You See It Today
Open with a purpose
Open source, interoperable protocols
Innovation at software speeds
Agility, Training, Partnering, Services
Ecosystem-compatible solutions
Legacy + NG Features, Open Interfaces
Your pace, your path
Solutions with interoperable components
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
6
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
7
Software Defined Networking (SDN)
A Programmable Network—Design, Build, Manage
Applications and Orchestration Frameworks
REST APIs
Control Plane
Basic Network Services:
Topology Mgr, Switch Mgr, Host Tracker, Stats Mgr
Key Features
• Network algorithms decoupled
from Hardware
Advantages
• Network automation can
integrate with other disciplines
Network protocols like OpenFlow
• Less lock-in; Users can choose
features to suit their needs
Data Plane
• Networking control can innovate
at software speeds
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
8
Network Functions Virtualization (NFV)
Hardware
Software
Main Features
• Complex networking functions in
software on commodity servers
Router
• Simpler networking functions in
commodity networking devices
VPN
Advantages
• Remove hardware lock-in
• Simplify resource planning
Firewall
• Enable fast service innovation
• Soft upgrades  Meet SLAs
• Reduce CAPEX/OPEX
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
9
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
10
Brocade Software Networking
Agile, Open, Economics
Brocade SDN
Controller
Web
Server 1
Web
Server 2
IPsec
Web Client
Brocade vRouter
Brocade vRouter
Branch Cloud
Brocade
vADC
Web
Server 3
Data Center
Virtualized Core for Mobile
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
11
Brocade SDN Apps
Brocade Flow Manager
Brocade Flow Optimizer
Brocade Visibility Manager
It delivers:
Backbone Circuit
Provisioning
Provides Network sensor based
services without disruption
Manages Brocade Packet Broker
Use Cases:
Software Defined Backbone
Backbone
A) Threat Mitigation
B) Large Flow Monitoring and
Optimization
A) Traffic aggregation, replication
and load-balancing to tools
B) Advance/Expert Interface with
3rd-party integration
Target Networks
Production Backbone
- Enterprise
- REN
- Colo DC
Production Network:
- Campus
- DC Core/Border
- ISP Peering Router
- REN HPC
Visibility Network:
- Large Enterprise
- REN
- DC
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
12
Brocade OpenFlow-capable Hardware Families
The MLXe Router and ICX Campus product lines
ICX 7450 Switch
ICX 7250 Switch
ICX 6610 Switch
ICX 6450 Switch
ICX 7750 Switch
MLXe Series Routers
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
13
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
14
L2 / L3 Firewall Bypass
Science-DMZ Use Case
WAN/
Internet
Brocade Flow Optimizer recognizes this
as a trusted flow and programs
Brocade MLXe using the controller to
bypass the firewall for this flow
4
Incoming flow from
upstream network
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
3
• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic
and OF (1 & 6)
• BFO 1.2 can ensure flow in both
directions is redirected via two action
policies (stateful FW)
1
Sent to Firewall for
processing
2
5
Firewall
Brocade
MLXe
Router
6
HPC/DTN
Network
”White-listed” flow now
bypasses Firewall and data
transfer is faster and more
efficient
•
HPC: High Performance Computing
•
DTN: Data Transfer Nodes
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
15
Priority Data Superhighway
Campus Slowpath-Bypass Use Case
Brocade Flow Optimizer recognizes this as a trusted
flow and that it is either a “large flow” or “priority
application”.
Programs Brocade ICX/MLXe using the controller to
re-direct the traffic to priority path for this flow
4
Incoming flow from
High Performance
Workstation/server
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
3
• L2 or L3 redirect action
• Need to ensure flow in both directions
is redirected via policy
5
1
Brocade ICX
or MLXe
”White-listed” flow now placed
on priority path and data
transfer is faster and more
efficient
Routed using normal
routed/switched path
2
6
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
16
Summary of Additional REN Use Cases
REST API
• L7 / Botnet Attack Mitigation
Internet
• L2-L4 Volumetric Attack
Mitigation
• BGP Remote Triggered Black
Hole (RTBH) Mitigation
• DC Flow Management for
Policy-based Security
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
Brocade
MLXe
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
17
Thank you
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
18
Backup
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
19
L7 and Botnet Attack Mitigation
REST API
Internet
Brocade Flow Optimizer initiates mirror
action.
5
1
Incoming Attack Flow
2
IDS detects L7 attack
(Example; SYN Flood). API to
BFO to discard flow.
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
3
6
• Adds ability for advanced DDoS
detection, up to L7
• Based upon the IDS (Palo Alto, Arbor
etc.) detection capability
• API from IDS to BFO initiates
additional discard actions
MLXe mirrors
flows to IDS.
OF “mirror+normal” action.
Brocade
MLXe
4
OF discard action.
Brocade
MLXe
Brocade
MLXe
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
20
L2-L4 Volumetric Attack Mitigation
Internet
Brocade Flow Optimizer recognizes this
as a L2-L4 Volumetric Attack.
3
1
Incoming Attack Flow
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
Local Mitigation:
Discard Flow (Redirect Optional)
4
2
• Recommended when incoming aggregate
attack traffic is 50% or less
• L2 – L4 local mitigation, based on sFlow
sampling and DDoS policy
• OF discard action (Automated, Manual)
• 1/10GbE, 40GbE and 100GbE support
Brocade
MLXe
Brocade
MLXe
5
Brocade
MLXe
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
21
BGP Remote Triggered Black-Hole (RTBH) Mitigation
Internet
Brocade Flow Optimizer recognizes this
as a L2-L4 Volumetric Attack.
3
Brocade SDN
Controller
Flow Optimizer initiates CLI
static route to MLXe.
Open
Daylight
6
4
2
• L2 – L4 local mitigation does not protect
upstream link
• If upstream link is congested above 50% by
DDoS, add ability for RTBH to uncongest
• RTBH is a well known Internet operation
• Automated RTBH reduces mitigation time from
15 minutes or hours -> under 1 minute
8
7
MLXe advertises BGP
Route (ex: /32, /28, /24, /23)
Brocade Flow Optimizer
Upstream BGP router:
A) Discards flow to null0, or
B) Re-directs traffic to cleaning site
Brocade
MLXe
1
Incoming Attack Flow
Mitigation: Discard Flow
Brocade
MLXe
(Triggering
Device)
5
Brocade
MLXe
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
22
L2 Firewall Bypass
Science-DMZ Use Case
WAN/
Internet
Brocade Flow Optimizer recognizes this
as a trusted flow and programs
Brocade MLXe using the controller to
bypass the firewall for this flow
4
Incoming flow from
upstream network
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
3
1
Sent to Firewall for
processing
2
5
Firewall
Brocade
MLXe
Router
• L2 MLXe
• BFO 1.2 can ignore, push, pop
or modify VLAN ID
• BFO 1.2 can ensure flow in both
directions is redirected via two action
policies (stateful FW)
6
HPC/DTN
Network
”White-listed” flow now
bypasses Firewall and data
transfer is faster and more
efficient
•
HPC: High Performance Computing
•
DTN: Data Transfer Nodes
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
23
L3 Firewall Bypass
Science-DMZ Use Case
WAN/
Internet
Brocade Flow Optimizer recognizes this
as a trusted flow and programs
Brocade MLXe using the controller to
bypass the firewall for this flow
4
Incoming flow from
upstream network
Brocade Flow Optimizer
Brocade SDN
Controller
Open
Daylight
3
• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic
and OF (1 & 6)
• BFO 1.2 can ensure flow in both
directions is redirected via two action
policies (stateful FW)
1
Sent to Firewall for
processing
2
5
Firewall
Brocade
MLXe
Router
6
HPC/DTN
Network
”White-listed” flow now
bypasses Firewall and data
transfer is faster and more
efficient
•
HPC: High Performance Computing
•
DTN: Data Transfer Nodes
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
24
Enterprise DC Flow Management for Policy-Based Security
Operator driven or sFlow threshold driven policy enforcement for large trusted flows
Enterprise Datacenter 1
Enterprise Datacenter 2
One-armed Firewall
Inline Firewall
WAN
Brocade
Flow
Optimizer
Default Traffic Flow
Trusted Traffic Flow
Brocade
Internet
SDN
Controller
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.