Transcription
WhitepaperThe Road to SDN is Paved with Visibility and ManyGood IntentionsIntroductionNetwork architectures are in the midst of massive transformation.Not too long ago traditional network designs began to strain underincreased demand for compute and storage. This saw the adventof server and storage virtualization so that organizations could haveon-demand access to resources required for supporting serviceoriented architectures and machine-to-machine communications.The increased agility and provisioning of virtualization showed theimmense flexibility of decoupling key network components fromthe underlying hardware and catalyzed what is now a movementtoward software defined networking (SDN).While SDN and network virtualization (NV) rollouts are farfrom common, practically all organizations are making plans toaccommodate this eventual architectural shift, which will transformnetworking in a way unseen in decades. As organizations considerhow they benefit from SDN they will undoubtedly need to shoreup their institutional knowledge and staff skill sets in the areas ofsoftware defined architectures and network function virtualization.In order to help, this paper brings together information from varioussources to explain basic SDN concepts and terminology, lays outthe benefits of SDN as well as offers market trends and practicaladvice for mapping the journey. The centerpiece of this guidancelies with pervasive network visibility. This paper concludes withexplaining how starting today, organizations have access to thisone unifying framework that is easy and fast to implement, andserves as a foundational building block to see them through servervirtualization, to SDN, to cloud adoption and beyond.BackgroundWhat is SDNSDN architecture separates or decouples the control plane(i.e administration layer) from the data plane (i.e data forwarding layer).The resulting architecture is a highly programmable and scalableone where the control framework can view and provision thenetwork as a single logical abstraction. In this kind of architecture,the orchestration and provisioning of services is easier to managewith desired configurations applied consistently and automatically.This unlocks whole new levels of scale and agility as well as 2015-2016 Gigamon. All rights reserved.choice in underlying hardware infrastructure. Beyond significantsavings in CAPEX and OPEX the SDN architecture spursinnovation and accommodates change quickly and to the benefitof those it serves with little disruption and overhead.How are Software-Defined Visibility and Network FunctionVirtualization relatedSoftware defined networking (SDN) and network functionvirtualization (NFV) are complementary. For that matter, othercomplementary concepts are those of network virtualization (NV)and white box switching. In the end all of these concepts areabout abstracting the software from the underlying hardwaresuch that the functions of the former are portable and don’t havea hardware dependence. SDN: the decoupling of the network control layer from the dataor forwarding layer. This is at the highest level of abstractionand treats the network as a whole NFV: this is focused at specific network services a smallrepresentative list of which are DNS, network addresstranslation, security services like firewalling, IPS, advancedthreat detection, as well as WAN optimization and CDN NV: this is really about optimizing use of network bandwidthby treating it as an available whole that can be carved up andassigned to servers or more likely virtual machines as neededin near-real timeThe role of OpenFlowOpenFlow has been erroneously used as a synonym for SDN.It was in fact one of the first open standards to define thecommunications paths and interfaces between the control andforwarding plane of an SDN. The image below outlines the currentstructure of OpenFlow as put forward and managed by the OpenNetwork Foundation (ONF).In this structure, an SDN Controller functions as central commandfor the SDN. It communicates with routers and switches at theinfrastructure layer via APIs like OpenFlow and the Open VirtualSwitch Database (OVSDB). APIs are also the means by which thecontroller provisions applications.1
Whitepaper: The Road to SDN is Paved with Visibility and Many Good IntentionsSoftware-Defined FrameworkApplication LayerBusiness ApplicationsAPIControl LayerNetworkServicesAPIAPIlock-in in the design and building of new data centers may wantto consider the benefit that an OpenStack approach provideslong term. As of this writing over 150 companies have agreed tocontribute code and expertise to the OpenStack foundation effort.The OpenStack architecture is modular and employs codenamesfor what are commonly known parts of a cloud computingarchitecture like compute, storage, networking and virtualmachine monitoring to name a few (see below):Network ServicesOpenStackmain services and componentsInfrastructure LayerHeatHorizonorchestrationdashboard,web UItemplatesNeutronnetworkingFigure 1: SDN visorCinderThe choice of protocols and SDN controller in particular have beenat the source of a fierce industry battle that is still playing outamong established networking vendors and newer players alike.The choices span open source controllers like NOX (developedby Nicira now VMware), POX, Beacon, and the more recentOpenDaylight, which enjoys broad market support from vendorslarge and small like Cisco, Citrix, Ericsson, HP, IBM and Junipersee list. Many of these vendors offer commercial versions ofcontrollers that are open source derivatives while others havepurpose-built proprietary offerings that may or may not be opensourced in the future. Firms like AT&T, Ciena, Fujitsu, Huawei, NTT,and Intel are also offering an alternative to OpenDaylight with theOpen Network Operating System (ONOS).A lot is riding on the choice of controller and the supported protocolssince it will determine the SDN architecture and its interactions withinfrastructure including existing routers and switches.A word on OpenStackStarted in 2010 as a joint effort between RackSpace and NASA,OpenStack is now a global community of users and contributorsadministered by the OpenStack Foundation. The OpenStack goalis to bring the flexibility and scale of open source to the designof public and private clouds. Any service provider, company,government agency, or organization that wants to avoid vendor1block storageKeystoneidentityserviceGlanceVM imagemanagerexternalstoragesFigure 2: OpenStack main services and components1In times past, many analysts and the industry at large havequestioned the viability of OpenStack, citing an absence of broaduse cases for the open source approach, a concern which isdiminishing as enterprise use cases like Overstock.com, Paypal,and many others join FICO and NASA. Still, there are someconcerns about scale-out, interoperability, and NFV to warrantresearch about which cloud architecture (i.e. proprietary, limiteddistribution, or open) option is right for your organization.The business case for SDN and NFVNetwork infrastructure has not seen massive change indecades. Part of the reason is that today’s high performancenetworks run on purpose-built hardware with custom silicon thatrepresents enormous investment on the part of the companiesthat have brought them to market. Implementers too havedevoted significant resources in the people with specializedskills and certifications that are required to maintain today’snetwork infrastructure. This state of affairs has made any kind ofcustomization and network design flexibility extremely difficultuntil recently.Source: https://en.wikipedia.org/wiki/OpenStack 2015-2016 Gigamon. All rights reserved.2
Whitepaper: The Road to SDN is Paved with Visibility and Many Good IntentionsWith SDN, customers have more options in their choice ofinfrastructure. Off the shelf hardware, with or without the OSand basic networking services installed, is available as are whitebox switches marketed precisely because of their flexibility andcustomizability. Network designers still have to make some tradeoffs in performance versus flexibility, but with more latitudethan ever before, the innovation in this area continues rapidly. Infact, many vendors of purpose-built appliances for network andnetworking services now offer their functionality as software-onlybundles and subscription services. In a nutshell, SDN and NFV:1.2.3.4.5.6.Are serving as catalysts for innovation and accelerating its paceGive customers more leverage in the sourcing of networkinginfrastructureOpen the door to new services and applications that mayhave been non-options because of hardware dependenceReduce CAPEX through shared infrastructure use, whichgreatly expands the number of tenants and resources thatcan servedReduce OPEX through centralized control and orchestrationof network services and resources that expeditesadministration and service deliveryMake organizations more competitive and, in the case ofpublic sector, more responsive through network flexibility andscaling that is business driven and at-willSecurity challenges with SDNModern threats target traffic inside networks and data centers.They may enter the data center hiding within authorized devicesor traffic streams, but once inside they propagate laterally,server-to-server. In theory, security controls and devices canbe applied at each data center segment, but in reality this isimpractical from a scale and performance perspective especiallygiven growing network speeds and traffic volumes. When securityis introduced it is rarely pervasive or granular. Also, despitesome innovation in this area, the unification of security policiesand application control across physical and virtual workloadsis simply not a realistic deployment option at least today. As aresult, data centers remain highly vulnerable and the favoritetargets of attackers because they often house an organization’smost valuable data. This situation becomes more acute in SDNarchitectures where reference designs and best practices don’texist yet and automation may unwittingly serve to proliferatethreats more quickly and broadly in the network. 2015-2016 Gigamon. All rights reserved.Customers and AdoptionSDN Market ForecastIn less than five years practically every network purchase will bescrutinized for SDN readiness and fit. See the 2015 SDN marketreport at SDXCentral: ed-networking/.Use casesCampus and branch—One of the key concerns in campusnetworks is network access control (NAC) or ensuring thatusers connect to networks securely and with access to onlythose services and applications required regardless of whichdevice is used or where the connection takes place. Thecentralized control and provisioning capabilities within SDN canensure that users’ experience accessing required resources isseamless, independent of the underlying infrastructure, and thatconnectivity is consistent with the security and business profilethat the organization has bestowed on the user. Changes in thesecurity posture or accessibility needs can automatically triggera rapid re-provisioning of the resources required without manualintervention or delays.Data centers—With big data warehousing and massive increasesin east/west and machine-to-machine traffic, data center designsare all about scale. SDN and NFV can extend the benefits ofserver and storage virtualization with on the fly service andapplication provisioning. Applications are spun up according tobusiness need with the requisite amount of compute and securityservices automatically assigned as well.Cloud—Private, hybrid, and even public clouds are reallyspecialized data centers where agile resource allocation andinfinite segmentation is key. With SDN and NFV architectures inplay, clouds can be micro segmented giving tenants maximumcontrol, ensuring resource privacy and the ability for threatcontainment. With the SDN data center and cloud provisionedas a logical whole, the management overhead is lower and thecarbon footprint is maintained at the optimal level for the load.Service providers—SDN and NFV offer many benefits for carriersand mobile network operators who want not only to scale, but tomonetize every aspect of their infrastructure investments. Withcentralized control and provisioning, carriers can offer users andbusinesses services based on the customized bundles for desiredapplications, performance levels and security. On the fly and evenself-service provisioning can mean huge gains in usage basedrevenue, competitive differentiation and customer loyalty. Also,the ability to source infrastructure with a variety and vendors andpricing models as an option can dramatically reduce the CAPEX orat least improve the ROI of SDN and NFV rollouts.3
Whitepaper: The Road to SDN is Paved with Visibility and Many Good IntentionsThe State of StandardsSDN adoption might be proceeding faster were it not for thebattle for standards and ensuing confusion this causes amongadopters. Network and data center architects naturally want tomake choices that will maximize the return on their investmentsand ensure that they capture the full benefit of SDN and NFV.The diversity of SDN controllers outlined in a previous sectionof this document highlight the overabundance of choices andit is a situation which is replicated within NFV with optionsfrom ETSI, OPNFV, the OpenDaylight Project, the IETF, and theMEF. Still, there are options for stair-stepping into SDN and theydo not require waiting for the standards dramas to play out intheir entirety.Migration to SDNDetailing the path to SDNWhile some organizations may be in a position to conduct netnew build outs for SDN, the majority will likely build out hybridnetworks of traditional infrastructure side by side with SDNcapable routers and switches and dynamically provisionedworkloads. In order to ensure successful operation of such anenvironment, visibility to traffic in both types of networks will bekey, as will a way to correlate administration.The hybrid network design is appealing in that it does not requirewhole cloth investment in SDN-ready gear, but stair steppinginto SDN rather than changing the entire data center to themodel, and can minimize the disruption to business operationsthat such a transition can have. At the same time, the portions ofthe network that are software defined will offer the benefits ofautomated and expedited provisioning as well as high quality ofservice (QoS) to those applications that are being served from it.For most organizations, the vendors of their installed networkinginfrastructure, or those vendors under evaluation, will haveofferings that allow for a gradual migration to an SDN architecture.This vendor list includes all of the large networking players suchas Cisco, IBM, VMware, HP, Juniper, Brocade, and others, aswell as start-ups. As mentioned earlier, since each may haveimplemented certain controllers and protocols, it is important tounderstand how the choice of today will impact the longer-termdesign options for the SDN that is being installed.Timelines and considerationsThe most important step in an SDN migration is arguably theplanning phase. The overarching goal is to begin to reap SDNbenefits in some measure while leveraging existing infrastructureto keep initial costs down and minimize disruption. 2015-2016 Gigamon. All rights reserved.Asking key questions and documenting the responses in as muchdetail as possible will serve as the working blueprint of the SDNmigration. Each organization is different so the number and typesof questions may vary, but a representative list to be answeredwill include: Which business goals are driving the migration to SDN Which applications should be served from the SDNarchitecture initially Which vendors and/or protocols are being considered for theSDN infrastructure and why What are all the security controls that must be replicated fromthe legacy network at a minimum within the SDN Which are the milestones and timeframes that will define thephases of the migration Are there successful migrations which closely parallel desiredarchitecture and goals and can serve as a frame of reference How will success be measured and communicated What resources are required for a successful migrationThe Role of Visibility In SDNOverviewSDN promises to transform our modern networks and datacenters, turning them into highly agile frameworks that can bequickly reconfigured for changing business needs. Still, manyorganizations recognize that highly mobile workloads and autoconfigured applications and services mean a likely loss of visibilityto traffic and consequently loss of both performance optimizationcapabilities and security.Network visibility is a foundational element in terrestrial networksand becomes more critical in highly dynamic SDN architectures.Loss of network visibility does not need to hinder firms frommoving forward with SDN however. Companies like Gigamon have taken steps to engage with both the standards communityand the leading vendors of SDN architecture to ensure thatapplication performance and security are maintained both duringan SDN migration and after its completion.Accelerating SDN adoption with a Visibility FabricGigamon is a company that pioneered network visibility deliveringintelligent traffic forwarding as part of a centralized and highlyscalable Visibility Fabric . The company further extended thecapabilities of the Visibility Fabric enabling its implementation asa Security Delivery Platform (SDP) or a central place from whichsecurity devices of all types can be deployed alongside solutionsfor packet capture, performance monitoring, and analytics.4
Whitepaper: The Road to SDN is Paved with Visibility and Many Good IntentionsNetwork visibility, as a pervasive layer, is nowhere more relevantor important than in SDN deployments. Specifically, detailedknowledge of the traffic flows and packets in these networksbecomes vital for:1.2.3.Monitoring the state of the SDN network itselfMonitoring the applications it enablesEnsuring security is maintainedWhether the SDN architecture of choice is built on OpenFlowor network virtualization abstractions like VMware’s NSX andCisco’s ACI, or still some other framework, the key requirementsabove remain. In SDN, control and forwarding layers are managedindependently yet need to function together. Synchronizationissues between these layers due to network latency or vendorvariance in networking infrastructure can cause bottlenecksand disrupt operations. When it comes to SDN applications andservices, the benefits of on-demand provisioning are undeniable.But this sort of dynamic configuration can result in unpredictabletraffic patterns that become hard to troubleshoot via traditionalmeans, which place performance management tools atpredictable places in the network. Visibility to such traffic in theSDN realm needs to be constant and the tools centralized so thatthey can receive all traffic flows and packets. Similar logic appliesto the need for security. Whereas security devices could beplaced on critical network segments in traditional networks, thisis not possible in SDNs because the critical points of the networkare not known but rather change and quite frequently as newresources and communications rules are provisioned. Centralizedplacement and total access to all inter-SDN traffic gives securitytechnologies the best statistical chance of surfacing embeddedmalware and anomalous patterns.InternetIPS(Inline)To explain the point further, three specific SDN uses cases areoutlined below.The VMware NSX Software Defined Data Center (SDDC)One of the key elements of making the move to the SDDC isthe ability of IT to manage, monitor and secure the SDDC whilecontinuing to leverage investments in existing tools. Networkvirtualization solutions like VMware’s NSX and Cisco ACI introducethe concepts of overlay
Whitepaper: The Road to SDN is Paved with Visibility and Many Good Intentions With SDN, customers have more options in their choice of infrastructure. Off the shelf hardware, with or without the OS and basic networking services installed, is available as are white box switches marketed pr
