Software Defined Networks: Present and Future
As a well-known writer once said, "... once they considered an electric light bulb to be a miracle, but for ordinary glasses on their nose they could easily be burned at the stake ...". Humanity is largely inert and conservative in their views. People do not immediately perceive the new, as you know, the first two manufacturers of lightning for clothing went bankrupt. And now habitual things sometimes go through several spirals before they turn into a part of everyday life that is usual for us. The same can be said about technology.
Let's talk about the fashionable topic today, about the so-called software defined networks (Software Defined Networks, SDN), which, it seems to me, has already passed all the preliminary stages and is ready to turn into a real main stream of network development in the near future. I’ll start with a few abstracts as a short introductory note:
To summarize : SDN is an ideology of networking, in which all network intelligence is placed on a separate hardware / software base, and all traffic management occurs on the basis of special protocols (for example, OpenFlow) that operate on the notion of “flow” (flow) and can perform various actions with it (allow, deny, redirect, rewrite fields in batches, etc.). In fact, the controller determines the network management policy based on the specified rules, as well as the work of specialized applications (for example, emulating the operation of STP or routing protocols). Then the final result is transmitted to the switches via the OpenFlow protocol in the form of flow-tables containing information about where, how and what traffic to send. On the one hand, this approach gives greater flexibility in network management, on the other hand, it greatly simplifies the administration (and, in part, the architecture) of the network.
A separate topic is the construction of a network security system based on OpenFlow. The controller actually centralizes this function too (as a specialized application) and, potentially, takes over all the intelligence of the firewalls, IPSs and other traditional network protection systems.
')
HP was one of the first to release a commercial product that supports the OpenFlow protocol. At the same time, HP switches that support OpenFlow are hybrid, i.e. support work simultaneously in two modes - OpenFlow plus traditional switching. Consider a simple example where there are three HP 3800 series switches in a ring. Like this:
Several options have been collected as controllers - Floodlight, SNAC and NOX. In this example, two controllers are configured on the switches — SNAC and Floodlight, like this:
Two instances are configured in OpenFlow, each of which is associated with a separate controller that manages traffic in a separate VLAN. In this example, the SNAC controller is configured to control traffic in VLAN 3, the Floodlight controller is configured to control traffic in VLAN 4, like this:
VLANs managed through OpenFlow have specific ports, like this:
And, actually, on this, the OpenFlow setting on the switches is complete. Then we see that the controller has defined the switches and can register them, this is how it looks in the web interface of SNAC:
Then, as soon as real traffic appears on ports controlled through OpenFlow, the controller will see the sources from which traffic is coming:
And, on the basis of the settings made, will give the switch information about the traffic flows that the switch should handle. The flows (flow) sent to the switch in the switch CLI can be viewed like this:
Further, a variety of rules can be applied to traffic. So, for example, in the SNAC controller, there is a tab where you can apply access policies by different parameters (src / dst MAC, src / dst IP, TCP ports, etc.):
You can see the network topology, in Floodlight it looks like this:
You can view various statistics on streams, the history of events that took place (who registered on the network, etc.) in the SNAC this tab looks like this:
In short, all the intelligence of the network managed through OpenFlow is now placed on the controllers, where the entire network policy is decided. An important point on which I want to focus: both controllers used in the laboratory are controllers assembled from open source projects. And HP works honestly with both controllers.
They say that when Bertrand Russell was asked, “Are you ready to die for your convictions?”, He replied: “Of course not! I could be wrong. ” I, too, could be wrong, but, in my opinion, when the SDN from the major trend turns into the main stream (and this will happen very soon, taking into account Moore’s law and looking at how quickly the recognized “right” technologies are developing), existing today, familiar to us the world of networks will change beyond recognition.
Let's talk about the fashionable topic today, about the so-called software defined networks (Software Defined Networks, SDN), which, it seems to me, has already passed all the preliminary stages and is ready to turn into a real main stream of network development in the near future. I’ll start with a few abstracts as a short introductory note:
- “All news is usually well-known things, but every time it happens to new people ”: the very idea of ​​centralizing the network’s intelligence is not new and the networks have already partly passed along this path. You can recall how Inet worked in his childhood, how the first gateway-to-gateway protocols worked, which were (and now, for sure, somewhere else there) in networks hubs that worked across bridges that actually accumulate intelligence, remember also about systems Configuration Automation & Provisioning. There are many examples. But - the concept of SDN is unique in that its main idea is not just to centralize the network's intelligence on a dedicated device - the controller, but to manage directly the data plane (data plane) from a single, common to the entire network, center based on special protocols. In fact, this means the removal of the control plane (control plane) of the entire network to a centralized, external hardware base, rather than the usual separation of the contol / data plane into processes, ASICs or printed circuit boards within a single device, remotely controlled through standard interfaces, such as CLI / SNMP.
- “The first thing that any dictator does is simplifies all concepts” : in this respect, the SDN ideology, from the point of view of network devices, is completely “dictatorial.” “Think” for the switches and decide which packets where to transfer the SDN controllers. The switch is assigned the role of a simple performer. Solving complex network problems (such as loop guarding or security) is performed by specialized applications in a centralized control plane on the controllers.
- “All weak people tend to think that it would be great if nobody ruled them; at the same time, they do not realize that they themselves cannot control themselves or others .. ” : the SDN ideology makes it possible to simplify the network devices themselves to the limit (in fact, to support the control protocol for communication with the controller and basic switching functions) make them weak and therefore cheap. This, ultimately, can drastically reduce OPEX, which does not allow all holders of IT budgets to sleep.
- “To dissolve the flag, you have to go upwind” : HP was a pioneer in the development of SDN technologies and one of the first to enter the market with a working solution (about it a little lower). When there was no OpenFlow yet and the network industry kept other technologies in focus, HP already participated in the development of the predecessor OpenFlow (Ethane, in 2007), and then became one of the active participants of the OpenFlow Network Foundation (ONF) and in, 2011, InCENTRE (OpenFlow Testing Center).
To summarize : SDN is an ideology of networking, in which all network intelligence is placed on a separate hardware / software base, and all traffic management occurs on the basis of special protocols (for example, OpenFlow) that operate on the notion of “flow” (flow) and can perform various actions with it (allow, deny, redirect, rewrite fields in batches, etc.). In fact, the controller determines the network management policy based on the specified rules, as well as the work of specialized applications (for example, emulating the operation of STP or routing protocols). Then the final result is transmitted to the switches via the OpenFlow protocol in the form of flow-tables containing information about where, how and what traffic to send. On the one hand, this approach gives greater flexibility in network management, on the other hand, it greatly simplifies the administration (and, in part, the architecture) of the network.
A separate topic is the construction of a network security system based on OpenFlow. The controller actually centralizes this function too (as a specialized application) and, potentially, takes over all the intelligence of the firewalls, IPSs and other traditional network protection systems.
')
HP was one of the first to release a commercial product that supports the OpenFlow protocol. At the same time, HP switches that support OpenFlow are hybrid, i.e. support work simultaneously in two modes - OpenFlow plus traditional switching. Consider a simple example where there are three HP 3800 series switches in a ring. Like this:
Several options have been collected as controllers - Floodlight, SNAC and NOX. In this example, two controllers are configured on the switches — SNAC and Floodlight, like this:
openflow enable controller-id 1 ip 192.168.2.10 controller-interface oobm controller-id 2 ip 192.168.2.11 controller-interface oobm Two instances are configured in OpenFlow, each of which is associated with a separate controller that manages traffic in a separate VLAN. In this example, the SNAC controller is configured to control traffic in VLAN 3, the Floodlight controller is configured to control traffic in VLAN 4, like this:
instance "snac" member vlan 3 controller-id 1 limit software-rate 10000 connection-interruption-mode fail-standalone max-backoff-interval 10 enable exit instance "floodlight" member vlan 4 controller-id 2 limit software-rate 10000 connection-interruption-mode fail-standalone enable exit hardware-statistics refresh-rate 10 VLANs managed through OpenFlow have specific ports, like this:
vlan 3 name "SNAC" untagged 1/3,1/13 tagged 1/1,1/23-1/24 no ip address exit vlan 4 name "FLOODLIGHT" untagged 1/4,1/14 tagged 1/1,1/23-1/24 no ip address exit And, actually, on this, the OpenFlow setting on the switches is complete. Then we see that the controller has defined the switches and can register them, this is how it looks in the web interface of SNAC:
Then, as soon as real traffic appears on ports controlled through OpenFlow, the controller will see the sources from which traffic is coming:
And, on the basis of the settings made, will give the switch information about the traffic flows that the switch should handle. The flows (flow) sent to the switch in the switch CLI can be viewed like this:
Further, a variety of rules can be applied to traffic. So, for example, in the SNAC controller, there is a tab where you can apply access policies by different parameters (src / dst MAC, src / dst IP, TCP ports, etc.):
You can see the network topology, in Floodlight it looks like this:
You can view various statistics on streams, the history of events that took place (who registered on the network, etc.) in the SNAC this tab looks like this:
In short, all the intelligence of the network managed through OpenFlow is now placed on the controllers, where the entire network policy is decided. An important point on which I want to focus: both controllers used in the laboratory are controllers assembled from open source projects. And HP works honestly with both controllers.
They say that when Bertrand Russell was asked, “Are you ready to die for your convictions?”, He replied: “Of course not! I could be wrong. ” I, too, could be wrong, but, in my opinion, when the SDN from the major trend turns into the main stream (and this will happen very soon, taking into account Moore’s law and looking at how quickly the recognized “right” technologies are developing), existing today, familiar to us the world of networks will change beyond recognition.
Source: https://habr.com/ru/post/160531/
All Articles