Transcription
White PaperSimplify NFV Deploymentfor Service Providers and Enterprisesin the Data Center and Hybrid CloudCisco, Intel, and Radware Collaborate to Accelerate the Adoption ofHigh-Performance NFVContributorsTravis Volk, Technical VP of Sales Development, travis.volk@radware.comIlango Ganga, PE, Standards and Strategic Initiatives, Ilango.s.ganga@intel.comJalal Sadreameli, Market Development Manager, jalal.e.sadreameli@intel.comKen Hook, Technical Marketing Engineer, khook@cisco.comGunnar Anderson, Product Line Manager, guanders@cisco.comJim French, Distinguished Systems Engineer, jifrench@cisco.com 2016 Cisco Intel Radware. All rights reserved.
ContentsBarriers to Network Functions VirtualizationTechnology Adoption3NFV Benefits and Adoption Challenges3Cisco NFV Platform Software: Cisco Cloud ServicesPlatform 21004Intel Architecture, Software, and Hardware5Radware VNF Fueled by Cisco and Intel5Radware Network Functions Virtualization5Radware Attack-Mitigation Solution6Radware NFV Solution Use Cases7Use Case 1: Virtual Customer Premises Equipment7Use Case 2: Mobile Data Center7Use Case 3: Software-Defined Networking8Conclusion8For More Information8 2016 Cisco Intel Radware. All rights reserved.2
Barriers to Network Functions Virtualization Technology AdoptionFor today’s service providers and enterprises, bandwidth demands continue to increaseand evolve. The introduction of Internet of Things (IoT) solutions, such as smart homes,smart cities, connected cars, and connected medical devices, is forcing organizations tochange existing business models and to build more cost-effective networks.In addition to reduced capital expenditures (CapEx) and operating expenses (OpEx)for basic connectivity services, service providers and enterprises are seeking uniquetechnology values that will distinguish their offerings from those of competing serviceproviders and over-the-top (OTT) solution vendors. Fast service introduction, agility,scalability, security, and low-latency access serve as the main differentiators of OTTcontent and the content offered by application providers.Network functions virtualization (NFV) technologies are designed to meet this challengeand make better use of an organization’s network investments. They can provide thetools to effectively grow complex network and server environments to meet business,application, and subscriber needs, while better matching revenue through smartutilization of the network.NFV Benefits and AdoptionChallenges As NFV enables the decoupling of networkfunctions from their physical location, servicescan be placed at the most cost-effectivelocations. Also made possible are multisite application availability, scalability, cloudbursting, and real-time deployment. Operation cost reductions can be achievedthrough end-to-end service lifecyclemanagement, resulting from commonautomation and operating procedures. Open and standardized interfaces betweenvirtualized network functions and the infrastructureenable service providers and enterprises toavoid vendor lock-in. Each service provideror enterprise can select its own best-in-classoptions and run in a multi-vendor environment.The goal of NFV technology is to alleviate some ofthe challenges of the modern network using thefollowing means: NFV is designed to use x86 hardware, whichallows more efficient use of capital than dedicatedpurpose-built hardware appliances. Significant costreductions can be achieved through the following:-- Hardware sharing and repurposing-- Fast packet-processing algorithm for x86servers based on the Intel Data PlaneDevelopment Kit (DPDK)-- Single-Root I/O Virtualization (SR-IOV) andpass-through technologies, which increasehardware performance-- Hosting network functions, known asvirtualized network functions (VNFs) Software-based NFV deployments alongsidereal-time software-defined networking (SDN)programming results in rapid service introductionand improved operation efficiency. 2016 Cisco Intel Radware. All rights reserved.Despite the many advantages of NFV, serviceproviders and enterprises are still concerned thatNFV technology is not mature enough to providerobust performance and service assurance.Furthermore, the distributed multi-site and multicloud application enablement that NFV offersintroduces massive security challenges. Securitypolicies should be enforced in an environmentwithout a perimeter.3
Cisco NFV Platform Software: Cisco Cloud ServicesPlatform 2100Cisco Cloud Services Platform (CSP) 2100 (Figure 1) is a turn-key NFV and Open x86 Linux Kernel-basedVirtual Machine (KVM) software platform for both service provider and enterprise environments. The CSP 2100is a platform without all the complexities and overhead that come with Openstack deployments. You can startwith ONLY one host, then add additional hosts as needed to scale-out.The CSP 2100 bridges network, server, and security teams by offering several ways to manage and operatethe platform. You can manage the platform using a GUI, command-line interface (CLI), representationalstate transfer (REST) API, and/or Network Configuration Protocol (NETCONF) using Cisco Network ServicesOrchestrator (NSO). The orchestrator has been used predominantly in service provider environments, but it isnow increasingly being used in enterprise environments.Figure 1. Cisco CSP 2100 High-Level ArchitectureCisco eAlteonRadwareDefenseProNSOCSP Software, ConfD, KVM, OVS, DPDK, PCIe PT & SR-IOVUCS C-series 1RU/2RU rack servers, 1G, 10G & 40G Intel NICsThe platform enables users to quickly deploy any Cisco or third-party network VNF that supports the KVMhypervisor. The CSP 2100 NFV platform is shipping today with the CSP software running on Cisco UCS C-Series Rack Servers for 1 and 2 rack units (1RU and 2RU).The CSP 2100 is designed for a variety of use cases in the cloud, data center, point-of-presence (POP), centraloffice (CO), co-location (COLO), carrier-neutral facility (CNF), WAN aggregation, DMZ and extranet, corenetwork, and server farm environments. Figure 2 shows the Dashboard within the GUI. A simple 2-node clusteris displayed with one VNF running on “csp1”. 2016 Cisco Intel Radware. All rights reserved.4
Figure 2. Cisco CSP 2100 GUI Showing a Simple 2-Node ClusterIntel Architecture, Software,and HardwareThe Intel Xeon E5-2600 v3 product family offers thefollowing innovative features in the 22-nanometer(nm) Intel process technology node: Accelerated boot and runtime security withlittle overhead and faster encryption Technologies targeting virtual machine integrityimprovement during migration and runtime Asynchronous dynamic random access memory(DRAM) refresh for memory data protection Comprehensive reliability, availability, andserviceability (RAS) features optimized fordemanding communications infrastructure needsThe Intel Ethernet Controller XL710 delivers a varietyof features, including: Software-configurable Ethernet port speedfor up to two 40 Gigabit Ethernet or up tofour 10 Gigabit Ethernet connectivityNetwork virtualization overlay stateless offloadsfor Generic Network Virtualization Encapsulation(Geneve), Virtual Extensible LAN (VXLAN),and Network Virtualization Using GenericRouting Encapsulation (NVGRE) protocols 2016 Cisco Intel Radware. All rights reserved. Intelligent load balancing for high-performancetraffic flows of virtual machines Intel DPDK optimized for efficientpacket processing to support NFVIntel DPDK offers the following features: A set of optimized software libraries anddrivers that can be used to acceleratepacket processing on Intel architecture Support for buffer management, queue andring functions, flow classifications, networkinterface cards (NICs), poll mode drivers (PMDs),and an environmental abstraction layer (EAL)Radware VNF Fueled by Ciscoand IntelRadware offers NFV and attack-mitigation solutionsfueled by Cisco and Intel technologies.Radware Network Functions VirtualizationThe Radware Alteon and DefensePro virtualappliances decouple network functions fromdedicated underlying hardware, allowing nextgeneration services on the CSP 2100 (Figure 3).Delivering a scalable, ultra-high capacity of up to225 Gbps per instance (Layer 4) and up to 1 Tbps percluster, the Alteon virtual appliance for NFV:5
Reduces total cost of ownership (TCO) Simplifies network services deployment Enables capacity elasticity througha simple license upgrade Automates service lifecycle management A total of 225 Gbps was achieved on a CSP 2100 2RUform-factor solution, which included the following: Intel Xeon processor E5-2699 v3 2.30-GHz145W CPU with 18-core 45-MB cache andDDR4 at 2133 MHz and Intel Xeon processorE3-2600 v3 CPU (two processors)Note: Intel Broadwell processors were not availablewhen testing started, but they will be available inQ3CY16 on the CSP 2100. Dual-port 40-Gbps Quad Enhanced SmallForm-Factor Pluggable (QSFP ) Intel EthernetController XL710 NICs (six cards total) Radware Alteon virtual appliance for NFVCSP 2100 Software running on a 2RUCisco UCS C240 M4 Rack ServerFigure 3. Radware VNF Fueled by Cisco and IntelCisco CSP 2100Radware VNFAlteon VA for NFV L710The Alteon and DefensePro VNFs provide highlyefficient resource utilization on open-sourcehypervisors by redesigning the virtualizationapproach to incorporate new technologies thatincrease overall performance: They bypass the hypervisor’s virtual switch,providing direct and the fast access to the physicalNICs of the server based on the Intel PCIe passthrough which is available on the Intel Niantic(Intel 82599 10-Gbps Ethernet controller) andFortville (Intel Ethernet Controller XL710) NICs. They use a fast-packet-processing algorithmfor x86 server-based platforms such as the CSP2100, which is based on the Intel DPDK code. They use the non-uniform memory access(NUMA) topology of the host server, whichenables the VNF to optimize its performanceto the underlying server configuration. 2016 Cisco Intel Radware. All rights reserved.IntelXL710IntelXL710IntelXL710These capabilities enable the Alteon virtualappliance for NFV to reach the industry’s bestperformance of up to 225 Gbps on the CSP 2100.Radware Attack-Mitigation SolutionThe Radware Attack Mitigation Solution (AMS) isa multi-layered security architecture that is wellsuited for service providers, including carriers andcloud providers. It is based on these main pillars:robust data collection, anomaly detection, attackmitigation, service automation, and attack lifecyclemanagement.AMS is a hybrid solution offering multi-vector attackdetection and mitigation. It combines always-on,on-demand, and cloud peak protection service layersto help guarantee availability in an evolving threatlandscape.6
AMS provides zero-day network-to-applicationprotection, malware propagation protection,and intrusion defense with the most completedistributed denial-of-service (DDoS) solution onthe market. Radware offers unique behavioralcapabilities for detecting and generating adaptivereal-time signatures with encrypted attack support.A web application firewall is integrated throughsignaling, combining expression protection withthe performance of volumetric mitigation. End-toend visibility and reporting allows service providersto monetize tailored service through a multitenantmanaged services service provider (MSSP) portal.Radware partners with service providers to helpguarantee mitigation support with an emergencyresponse team (ERT) dedicated to defendingcustomers from attack.Radware NFV Solution Use CasesRadware NFV solutions are compatible with cloud,carrier, and enterprise application and servicedelivery environments.Table 1 lists well-defined use cases for integratinga Radware VNF solution with CSP 2100 running onIntel processors and NICs.Table 1. Radware NFV Use CasesVNF Use CaseLBAccelerationH2GW,TCPOSSL InspectIP ReputationURL FilteringDefenseSSLvDPDetectorvDPMitigationWAFvCPE Mobile DC:DNS, IMP, Billing,VAS, Portals SDDC Use Case 1: Virtual Customer PremisesEquipment End-to-end health monitoring that helps ensureservice continuity and origin-based high availabilityVirtual customer premises equipment (vCPE) isdesigned to help service providers save expensesincurred while operating and managing networkfunctions such as routing, firewall, applicationdelivery controller (ADC), DDoS protection, intrusionprevention system (IPS), WAN optimization, accesscontrol, and web application firewall (WAF) services.The cost savings are achieved by deploying existingCPE functions in POPs running on software andhardware platforms such as the CSP 2100, whichelastically manages capacity based on subscription. MSSP portal available for white labelingto promote downstream channelsRadware introduces best-in-class vCPE cybersecurity,traffic acceleration, and content delivery functions,exceeding customer requirements while acceleratingservice agility. Always-on multitenant network andapplication DDoS services offer any combination of: Encrypted attack protection Multitiered web application firewall services Web acceleration, HTTP 2.0 Gateway(H2GW), SSL inspection, URL filtering, etc. 2016 Cisco Intel Radware. All rights reserved.Use Case 2: Mobile Data CenterVoice over long-term evolution (VoLTE) service,based on virtual IP multimedia subsystem (vIMS)infrastructure, offers operators huge cost savingsand operational benefits. It eliminates the needto have voice and data on separate networks,and it can unlock new revenue potential with richcommunication services (RCS) multimedia servicessuch as VoLTE. As VoLTE becomes more attractive,service providers are looking for advanced scalabilitysolutions. Along with its benefits, VoLTE doesintroduce many security risks because it is based onIMS technology.vIMS introduces the potential for application DDoSattacks targeting control-plane elements, such asSession Initiation Protocol (SIP) application servers(IMS infrastructure), and data-plane elements, suchas session border controllers (SBC) and IMS proxies(P-CSCF).7
The Radware vIMS solution is equipped to providescalability plus protection against SIP scans, SIPapplication DDoS attacks, brute-force and pre-attackactivities, and SIP anomalies.Control-plane network components are consideredmission critical. Radware control-plane solutionsprovide high availability, scalability, resiliency, andapplication protection for control-plane protocols,including Domain Name Service (DNS), RADIUS,DIAMETER, Dynamic Host Configuration Protocol(DHCP), and syslog. Radware also provides the bestresponse time in the industry because the companyunderstands that delays in control-plane traffichave a direct, negative impact on users’ quality ofexperience (QoE).Transparent traffic handling within SGi-LAN zonesinclude header enrichment, packet normalization,real-time policy updates, and advanced TCPacceleration for effective spectral efficiency. Radwareoffers elasticity and high availability for value-addedproxies, gateways, and other high-speed sessionbrokers to increase the resilience and utilizationof highly distributed resources. The capabilityto combine application delivery, performanceacceleration, and security across a broad range ofelements in a consistent manner offers elementconsolidation and efficiency.Use Case 3: Software-Defined NetworkingEnterprises and cloud providers are gradually shiftingto SDN. Radware provides compelling solutions thattransparently integrate its ADC and cybersecurityproduct portfolio into such environments, allowingcustomers to capitalizeon their investments. Radware’s SDN andNFV-based solutions allow customers completeelasticity in deploying their ADC and securityservices throughout the network on the Cisco CSP2100. Customers can now deploy and redeploy ADCand security services across their entire network inhours, regardless of the desired location of thosesolutions. With Radware’s Alteon NFV and virtualDefensePro (vDP) solutions, network operatorscan now quickly deploy high-throughput serviceswherever required across their network.The joint venture among Cisco, Intel, and Radwarefrees expensive IT resources for innovation.Radware’s SDN-integrated solutions are focusedon simplifying and abstracting the deployment,management, and monitoring of ADC and securitysolutions, thus requiring less of IT and networkingpersonnel. ADC and security professionals are nowable to explore and experiment.At the same time, simplified implementation ofnetwork services, including complex, multi-applianceservices, reduces the cost of implementation.ConclusionRadware’s SDN and NFV solutions broaden anorganization’s ability to introduce new networkservices that previously had been either too costlyto deploy or impossible to implement. High-scalenetwork services use NFV-compliant ADC andsecurity components, which can perform andscale to match the performance of a high-endhardware device.Intel products offer open architecture in a secure,low-latency, virtualized, and scalable environment tooptimize Cisco and Radware software.The Cisco CSP 2100 NFV platform software for theCisco Unified Computing System (Cisco UCS)provides both service providers and enterprisesa turn-key solution that they can use to beginbenefiting from NFV starting today.For More InformationFor additional information, see: http://www.cisco.com/go/csp https://dcloud-cms.cisco.com/?p 23376 https://networkbuilders.intel.com/ urces/For questions and comments, contactCSP-2100@cisco.com. 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property oftheir respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2016 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and othercountries. All other trademarks and names are the property of their respective owners.Copyright Intel Corporation, 2016. All rights reserved.* Other names and brands may be claimed as the property of others.C11-737457-0006/16
Cisco, Intel, and Radware Collaborate to Accelerate the Adoption of High-Performance NFV Contributors Travis Volk, Technical VP of Sales Development, travis.volk@radware.com Ilango Ganga, PE, Standards and Strategic Initiatives, Ilango.s.ganga@intel.com Jalal Sadreameli, Market Development Manager, jalal.e.sadreameli@intel.com Ken Hook, Technical Marketing Engineer, khook@cisco.com Gunnar .
