Transcript SDN USG

May 8, 2014
JUNIPER / VMWARE NSX
TECHNICAL UPDATE
Daniel McGinniss
Copyright © 2014 Juniper Networks, Inc.
AGENDA
NSX – The Problem and Solution
Juniper / VMware – Strategy Update
Understanding NSX VXLAN Hardware Gateways
Introduction to Configuring NSX L2 Gateways
QFX5100 Connectivity Models
Copyright © 2014 Juniper Networks, Inc.
IMPETUS FOR CHANGE
What is the problem that NSX is attempting to solve?
Business Agility
Logical Scale
Multi-tenancy
Moves/adds/changes
4096 VLANs
Lack of customer separation
Device-level config changes
MAC propagation
Difficult to gather flow stats
Resource allocation silos
VLAN member limitations
Services are inflexible
Copyright © 2014 Juniper Networks, Inc.
THE SOLUTION
Decouple virtual network from physical network
Business Agility Benefits
Logical




Virtual Network
L2
L3
L2
No network-level changes
Automated configuration
No Layer 2 protocols
Dynamic resource allocation
Logical Scaling Benefits
VM
 Network is all Layer 3
 VM MACs are masked
 No need to configure VLANs
VM
Physical
Support for multi-tenancy
 Similar to VRFs
 Pooled resources
 No need to configure VLANs
Copyright © 2014 Juniper Networks, Inc.
INTRODUCING OVERLAYS
Using VXLAN to “tunnel” across a Juniper underlay
VXLAN Attributes




VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN
Copyright © 2014 Juniper Networks, Inc.
MACs are hidden from underlay
No VLANs configured on the underlay
Core is all Layer 3
Server-to-server traffic is encapsulated
THE PACKET WALK
VM1 to VM4 communication in a VxLAN conversation
Step 1: VM1 sends a data packet onto the network via vSwitch
VM1
VM2
VM3
VM4
Step 2: VTEP module encapsulates VM1 packet in UDP/VxLAN header
VM5
VM6
Step 3: Kernel adds outer IP & Ethernet header addressed to remote hypervisor
vSwitch
vSwitch
Step 4: IP Packet received by remote hypervisor
Step 5: IP header removed, UDP/VxLAN packet sent to VTEP
VXLAN VTEP
VTEP
Step 6: VTEP de-encapsulates UDP/VxLAN header, VM1 packet delivered to VM4
Kernel IP Stack
Kernel IP Stack
IP Transport Network
Outer
UDP
Eth Outer
VXLAN
IP VM
VM
UDP
Eth VXLAN
VM
VM
VM
Eth
VM
VM1 IP
VM
Data
1 IP
11TCP
1 Eth
11TCP
1 App
VM
VM
VM
Data
1 IP
1 App
1 TCP
Copyright © 2014 Juniper Networks, Inc.
VM1 App Data
THE BIG PICTURE
Private WAN;
DCI; Internet
Orchestration
Trends of the SDN Data Center….
Management Plane
Network
Director
Centralize provisioning and orchestration
VxLAN
Control Plane
VXLAN
Centralize route distribution, topology discovery
and tunnel mapping
VxLAN VxLAN VxLAN VxLAN
VxLAN
VxLAN VxLAN VxLAN VxLAN
Data Plane
Bare Metal
Network overlays tunnel across physical network
NSX Controller
Copyright © 2014 Juniper Networks, Inc.
Services GW
VMWARE OVERLAY OPTIONS
NSX for vSphere
NSX for Multi Hypervisor
VXLAN without Controllers
Description
Overlay solution with ESXi and
VMware server management tools
Overlay solution with multi
hypervisor and multiple cloud
management platforms support
Overlay solution without a
controller
Cloud Management Platforms
(CMP)
VMware vCloud Director
OpenStack, CloudStack, custom
VMware vCloud Director
SDN Controller
NSX for vSphere
NSX for MH
No controller
End Point Reachability
L3 Multicast, Unicast or hybrid
OVSDB control plane
L3 Multicast, Unicast or hybrid
Network
IP/Ethernet transport
IP/Ethernet transport
IP/Ethernet transport
Virtual Switch
VMware VDS
Open vSwitch(XEN,KVM) & NSX
vSwitch for ESXi
VMware VDS
Hypervisor
ESXi
XEN, KVM, ESXi, Redhat
ESXi
Support L3 Multicast-Based
Data Plane Learning
Yes
No
Yes
Overlay Encapsulation
VXLAN
GRE (for VMs that need to pass
firewalls) , STT (VM to VM), VxLAN
(VM to HW VTEP)
VxLAN
Copyright © 2014 Juniper Networks, Inc.
AGENDA
NSX – The Problem and Solution
Juniper / VMware – Strategy Update
Understanding NSX VXLAN Hardware Gateways
Introduction to Configuring NSX L2 Gateways
QFX5100 Connectivity Models
Copyright © 2014 Juniper Networks, Inc.
JUNIPER / VMWARE PARTNERSHIP
Five “Areas of Collaboration”
1.
2.
3.
4.
5.
Smart forwarding across physical and virtual infrastructure
End-to-end visibility and management
Telemetry and analytics
Integrated security
Application/flow-based traffic handling
Copyright © 2014 Juniper Networks, Inc.
JUNIPER / VMARE PARTNERSHIP
Marketing Work Streams
1. Jointly published whitepaper: Daniel McGinniss / Scott Lowe (VMware)

http://www.juniper.net/us/en/local/pdf/whitepapers/2000570-en.pdf
2. Joint Blog: Denise Shiffman / Hatem Naguib (VMware)

http://forums.juniper.net/t5/The-New-Network/Juniper-and-VMware-Collaborating-to-Enable-Cloud-Builders/ba-p/237286
3. Interop Las Vegas 2014 Keynote: Pat Gelsinger; CEO VMware

http://www.interop.com/video/keynotes/?videoID=3431240580001
Copyright © 2014 Juniper Networks, Inc.
AGENDA
NSX – The Problem and Solution
Juniper / VMware – Strategy Update
Understanding NSX VXLAN Hardware Gateways
Introduction to Configuring NSX L2 Gateways
QFX5100 Connectivity Models
Copyright © 2014 Juniper Networks, Inc.
NETWORK DEVICES IN THE DATA CENTER
Bare Metal Servers
• Databases
• HPC
• Legacy Apps
• Non x86
• IP Storage
Virtualized Servers
SDN Servers
• ESX
• NSX-vSphere ESXi
• ESXi
• NSX-MH ESXi
• KVM
• NSX-MH KVM
• XEN
• NSX-MH XEN
Copyright © 2014 Juniper Networks, Inc.
L4 – 7 Appliances
• Firewalls
• Load Balancers
• NAT
• Intrusion Detection
• VPN Concentrator
ALL THE DEVICES NEED TO COMMUNICATE
Four use primary use cases
Provide SDN-to-non-SDN translation, same IP subnet
SDN to IP (Layer 2)
Layer2
Provide SDN-to-non-SDN translation, different IP subnet
SDN to IP (Layer 3)
Layer3
Provide SDN-to-SDN translation, same or different IP subnet, same or different overlay
SDN to SDN
SDN
Provide SDN-to-WAN translation, same or different IP subnet, same or different encapsulation
SDN to WAN
WAN
Copyright © 2014 Juniper Networks, Inc.
Remote
Data
Center
Branch
Offices
Internet
TWO GATEWAY OPTIONS
Layer 2 Gateway
Universal SDN Gateway
(USG)
QFX5100
1 of 4 use cases
Standalone – Virtual Chassis
– Virtual Chassis Fabric
Relatively low cost
MX Series & EX9200
4 of 4 use cases
Custom silicon = future proof
Higher cost, larger footprint
Copyright © 2014 Juniper Networks, Inc.
USGs INSIDE THE DATA CENTER
DATA CENTER 1
OVSDB
NSX Controller
Layer2 USG
VxLAN VxLAN VxLAN VxLAN
Native IP L2 Native IP L2 Native IP L2 Native IP L2 Native IP L2 Native IP L2
VxLAN
VxLAN VxLAN VxLAN VxLAN
Native IP L2 Native IP L2 Native IP L2 Native IP L2
OVSDB
Using Layer 2 USGs to bridge between
devices that reside within the same IP
subnet:
SDN USG
1. Bare metal servers like high-performance databases, nonx86 compute, IP storage, non-SDN VMs
2. Layer 4–7 services such as load balancers, firewalls,
Application Device Controllers, and Intrusion
Detection/Prevention gateways.
WAN USG
Copyright © 2014 Juniper Networks, Inc.
Native IP L2 Native IP L2 Native IP
Layer3 USG
NSX SDN
Pod 1
VxLAN
Legacy Pods
L2 Native IP L2 Native
L4 – 7
Services
USGs INSIDE THE DATA CENTER
DATA CENTER 1
OVSDB
NSX Controller
Layer2 USG
VxLAN VxLAN VxLAN VxLAN
Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3
VxLAN
VxLAN VxLAN VxLAN VxLAN
Native IP L3 Native IP L3 Native IP L3 Native IP L3
OVSDB
Using Layer 3 USGs to route between
devices that reside within different IP
subnets:
SDN USG
1. Bare metal servers like high-performance databases, nonx86 compute, IP storage, non-SDN VMs
2. Layer 4–7 services such as load balancers, firewalls,
Application Device Controllers, and Intrusion
Detection/Prevention gateways.
WAN USG
Copyright © 2014 Juniper Networks, Inc.
Native IP L3 Native IP L3 Native IP
Layer3 USG
NSX SDN
Pod 1
VxLAN
Legacy Pods
L3 Native IP L3 Native
L4 – 7
Services
USGs INSIDE THE DATA CENTER
DATA CENTER 1
OVSDB
Contrail Controller
NSX Controller
Layer2 USG
VxLAN
VxLAN VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN VxLAN
GRE MPLSoverGRE MPLSoverGRE MPLSoverGRE MP
OVSDB
NSX Controller
SDN USG
NetConf / MBGP
Using SDN USGs to communicate
between islands of SDN:
1. NSX to NSX – Risk, scale, change control, administration
LSoverGRE MPLSoverGRE MPLS
NSX SDN
Pod 1
VxLAN VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN VxLAN VxLAN VxLAN
Layer3 USG
VxLAN
2. NSX to Contrail – Multi-vendor, migrations
NSX
SDN Pod 2
WAN USG
Copyright © 2014 Juniper Networks, Inc.
Contrail
SDN Pod 1
NetConf / MBGP
USGs FOR REMOTE CONNECTIVITY
DATA CENTER 1
Internet
Layer2 USG
VxLAN
VxLAN VxLAN VxLAN VxLAN
Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3
OVSDB
Layer3 USG
GRE GRE GRE GRE GRE GRE GRE GRE GRE GRE GRE GRE GRE
SDN
Pod 1
1. Data Center Interconnect – SDN to [VPLS, EVPN, L3VPN]
2. Branch Offices – SDN to [GRE, IPSec]
3. Internet – SDN to IP (Layer 3)
PN EVPN EVPN EVPN EVPN
Using WAN USGs to communicate to
resources outside the local data center:
SDN USG
BRANCH OFFICES
EVPN EVPN EVPN EV
NSX Controller DC1
NSX SDN Pod 2
NSX Controller DC2
OVSDB
EVPN EVPN
VxLAN
VxLAN VxLAN VxLAN VxLAN
DATA CENTER 2
WAN USG
Copyright © 2014 Juniper Networks, Inc.
UNIVERSAL GATEWAY SOLUTIONS
DATA CENTER 1
Native IP L2 Native IP L2 Native IP L2 Native IP L2 Native IP L2 Native IP L2
Layer2 USG
VxLAN
VxLAN VxLAN VxLAN VxLAN
Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3 Native IP L3
VxLAN VxLAN VxLAN VxLAN VxLAN
VxLAN VxLAN VxLAN VxLAN
MPLSoverGRE MPLSoverGRE MPLSoverGRE
Layer3 USG
VxLAN VxLAN VxLAN VxLAN
Native IP L3 Native IP L3 Native IP L3 Native IP L3
Native IP L3 Native IP
VxLAN
GRE GRE GRE GRE GRE GRE GRE
EVPN
GRE GRE GRE
NSX SDN Pod 2
SDN USG
Native IP L2 Native IP L2 Native IP L2 Native IP L2
Internet
WAN USG
L3 Native IP L3 Native
NSX
SDN Pod 2
DATA CENTER 2
Copyright © 2014 Juniper Networks, Inc.
Legacy Pods
L2 Native IP L2 Native
VxLAN VxLAN VxLAN
BRANCH OFFICES
LSoverGRE MPLSoverGRE MPLS
Native
IP L2IPNative
IP L2IPNative
IP IP
Native
L3 Native
L3 Native
VxLAN
NSX SDN
Pod 1
Contrail
SDN Pod 1
L4–7
Services
USG COMPARISONS MATRIX
Layer 2
Layer 3
SDN
WAN
USG
USG
USG
USG
Description
Provide SDN-to-non-SDN
translation, same IP subnet
Provide SDN-to-non-SDN
translation, different IP
subnet
Provide SDN-to-SDN
translation, same or different IP
subnet, same or different
Overlay
Provide SDN-to-WAN
translation, same or different IP
subnet
QFX5100
✔
MX Series/EX9200
✔
✔
✔
✔
X86 Appliance
✔
✔
Competing ToRs
✔
Competing Chassis
✔
Use Cases
NSX or Contrail talk Layer
2 to non-SDN VMs, bare
metal and L4-7 services
NSX or Contrail talk to other
PODs of NSX or Contrail
NSX or Contrail talk to
other remote locations –
branch, DCI
Description
NSX or Contrail talk Layer
3 to non-SDN VMs, bare
metal and L4-7 services
and Internet
Copyright © 2014 Juniper Networks, Inc.
AGENDA
NSX – The problem and solution
Juniper / VMware – Strategy update
Understanding NSX VXLAN Hardware Gateways
Introduction to Configuring NSX L2 Gateways
QFX5100 Connectivity Models
Copyright © 2014 Juniper Networks, Inc.
VMWARE NSX L2 GATEWAY
OPERATION
VMware NSX
Controller
Virtual
Network
(Virtual VTEP)
Physical
Environment
(Hardware VTEP)
Copyright © 2014 Juniper Networks, Inc.
1
VTEPs register with VMware NSX
2
Virtual VTEP MAC addresses advertised to
hardware VTEPs
3
Virtual Network Identifiers mapped to
VXLANs / VLANs
4
Hardware VTEPs send physical
MAC addresses to VMware NSX
5
VMware NSX publishes mappings to all
VTEPs
6
Traffic flows between virtual
and physical environments
JUNOS CLI OUTPUT
Juniper VXLAN VTEP Gateway Switch Setup
Juniper QFX5100 show commands to see dynamically
created VLANs, interface bindings and MACs.
Port xe-0/0/3 is attached to bare metal server, is configured as access port.
Controller ip is 30.30.30.4.
Copyright © 2014 Juniper Networks, Inc.
NSX MANAGER OUTPUT
Copyright © 2014 Juniper Networks, Inc.
AGENDA
NSX – The problem and solution
Juniper / VMware – Strategy Update
Understanding NSX VXLAN Hardware Gateways
Introduction to Configuring NSX L2 Gateways
QFX5100 Connectivity Models
Copyright © 2014 Juniper Networks, Inc.
CONNECTIVITY MODELS WITH
QFX SERIES
Virtual Chassis Fabric
Physical server multihoming
Virtual Chassis Fabric
QFX5100
Spine 1
Spine 2
Spine 3
Virtual Chassis Fabric abstracted as VTEP for all physical
servers in fabric
Spine 4
Simplified management & provisioning
Resiliency
Supported only with Virtual Chassis Fabric of QFX5100s
Copyright © 2014 Juniper Networks, Inc.
CONNECTIVITY MODELS WITH
QFX SERIES
Virtual Chassis
2 member Virtual Chassis
L3 scale out with Virtual Chassis for BM
end-host connectivity
BGP/OSPF
Two-member Virtual Chassis only
Simple to deploy with abstraction across a pair of
switches
L3 protocols from TORs including Virtual Chassis
Copyright © 2014 Juniper Networks, Inc.
CAVEATS
MC-LAG not supported. Planned
Only L2 access ports supported. L2 trunking support planned
Ephemeral DB (separate CLI & controller config) planned
Multi-controller support not available
Copyright © 2014 Juniper Networks, Inc.
Copyright © 2014 Juniper Networks, Inc.
Copyright © 2014 Juniper Networks, Inc.