Más contenido relacionado La actualidad más candente (20) Similar a Fostering the Evolution of Network Based Cloud Service Providers. (20) Más de Cisco Service Provider (20) Fostering the Evolution of Network Based Cloud Service Providers.1. CloudVPN
Fostering The Evolution of Network-Based Cloud
Service Providers.
Bart Van de Velde
Sr. Director, Engineering, Chief Technology & Architecture Office
MPLS SDN NFV Congress - Paris
2. © 2015 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
• Introduction
• CloudVPN Use Case
• CloudVPN Architecture
• CloudVPN as a Servive Delivery Platform
• Summary
2
3. CloudVPN – A Programmable Platform for SP’s to evolve their
VPN offerings with Cloud integration at a lower TCO (agility,
automation, simplification) and low marginal cost achieved through
Virtualization and SDN enablement.
4. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
User ≠ One Size Fits AllNew Solutions Demand More Flexible & Comprehensive Offerings that Interoperate with Existing
Equipment inclusive of hardware and software.
On-Demand
Bandwidth & Capacity
Big Data & AnalyticsRapid Deployment of New
Business Applications
Anywhere/Anytime
Secure Accessibility
User Experience,
Delivered
Open Solutions
Seamless
Connectivity
One Stop
Shop
UX &
Multi-Platform
On-Demand
Solutions
The New Customer Requirements
PAYG Models
5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Starting Point:
Unique Opportunity of the SMB Market
An Excellent starting point to evolve Business Services Models
Modular Architecture: Low Cost Customization
Cloud Services Delivers on New Buy Models
Demands & Cycles
Variability in Vertical, Size & Offering Needs,
Buy-Cycle; One-Size Does Not Fit All
6. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
SDN, NFV and Orchestration
Creating the Change Platform
Orchestration
Automation, provisioning and interworking
of physical and virtual resources
Service
Orchestration
NFVSDN
SDN
Separation of control and data plane
NFV
Network functions and software running
on any open standards-based hardware
The Time is NOW to put SDN , NFV, and Orchestration into Action
Services
Platform
7. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
The Mission: Service Provider Business Transformation
AUTOMATION, VIRTUALIZATION AND ORCHESTRATION ARE REQUIRED…HOW?
Virtualized
Resource Pools
(network ready
compute/storage)
Virtualized
Network Functions
Secure Overlays
Dynamic Set-Up,
Tear Down and
Provisioning
On-Demand Workload
Movement with
Service Profiles
Data Center
NetworkWorkload
Portability
Orchestration
Full Access to
Resource Pools
Anywhere
Cloud Services
Cost Reduction and Agility Delivers Profits
8. © 2015 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
• SDN, NFV & Orchestration
• CloudVPN Use Case
• CloudVPN Architecture
• CloudVPN as a Service Delivery Platform
• Summary
8
9. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
xDSL
GPON
FTTX
Mobile
R2
R1
R1
R1
Goal: Multi-tenant Virtual Private
Network+Cloud
Virtual Private Cloud ( VPC )
Logical design automatically created
within the WAN and Cloud Data Center
self-service creation and modifications
animated
10. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CloudVPN – Key Focus Areas
• Self Service – Catalog Driven
• Address Small [branches] of the large [enterprises]
• Remote Worker, SOHO, Distributed Sites (hospitality, retail)
• One Offering: Integrate VPN with Cloud Services
• Lower TCO (agility, automation, simplification) via Virtualization & Cloud
Management
• Leverage existing SP Network Infrastructure
• Shorter Time To Revenue with NO upfront CAPEX
• Ability to bundle offers. SMB -> Mobile, Video, Smart business, security
11. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Customer Experience in a Nutshell
Unbox & Plug-in
Service up and running
CPE ships
Orchestration happens!
Order Services
12. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CloudVPN Business Services:
Use Case 1: CloudVPN with Internet, Firewall (FW), Remote Access (RA)
Cloud IPVPN with FW and Remote
Access to Internet
! vFW with NAT and Policy
! vFW with IPSec/SSL Remote
Access including Remote End-
Host posture verification
CPE
CPE
CPE
Internet
Router
vFW
SP CLOUD
Internet
Cloud-Hosted Management
Scalable, elastic, on-demand
Overlay Packet Tunnels
! IPSec tunnels – mesh, hub&spoke
VR
13. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CPE
CPE
CPE
SP CLOUD
Cloud-Hosted Management
Scalable, elastic, on-demand
Internet
Router
vFWVR
WSAv
CloudVPN Business Services:
Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security
Cloud IPVPN with FW and Remote
Access to Internet
! vFW with NAT and Policy
! vFW with IPSec/SSL Remote Access
including Remote End-Host posture
verification
! WSAv for Enhanced Web Security
Overlay Packet Tunnels
! IPSec tunnels – mesh, hub&spoke
Internet
14. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CPE
CPE
CPE
SP CLOUD
Cloud-Hosted Management
Scalable, elastic, on-demand
Internet
Router
vFWVR
vNG-
IPS
Internet
CloudVPN Business Services:
Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS
Cloud IPVPN with FW and Remote
Access to Internet
! vFW with NAT and Policy
! vFW with IPSec/SSL Remote Access
including Remote End-Host posture
verification
! vNG-IPS (SourceFire) for advanced
threat protection and real-time
contextual awareness
Overlay Packet Tunnels
! IPSec tunnels – mesh, hub&spoke;
15. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Demo Time
15
16. © 2015 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
• Introduction
• CloudVPN Use Case
• CloudVPN Architecture
• CloudVPN as a Service Delivery Platform
• Summary
16
17. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
SP
VR
CSR
NED
VR_CSR
Other Network
Services
vFW
vASA
NED
ISR
NED
O/S
virt infra mgr
Portal:
Service
Consumer
Self Service
Create
Deliver
Operate
Optimize
cisco
Network
Compute
Storage
Service Design
Create
Deliver
Operate
Optimize
cisco
Service Design
My DeploymentsMy Designs
Deploy
Deployment Wizard
Select Scope
Engineering
New Folder
Testing
Operator
Self Service
vNG-Intrusion
Protection
vSecWeb-WSAv
NC/YANG
REST/XSD
vNG
IPS
NED
vSec
Web
NED
Customer VPN
BSS
Systems
RC/YANG
NC/YANG
VFW_vASA
ESC
virt service
lifecycle
management
netconfd
service
models
device models
fastmap
reactive
fastmap
yangyang
yang
O/S component
APIs
RC/YANG
NC/YANG
RC/YANG
NC/YANG
Config &
Operation
java
Virtual
Switch
netconfd
Virtual
Switch
Model driven service consumer portal for self-
service service lifecycle : create, modify,
redeploy, delete
NCS
network service lifecycle management
ISR CPE
Csco PnP
http
Csco CLI
via SSH
Config &
Operation
Discovery
& Call Home
PnP Server
(Call Home)
WAN network
and Internet
CloudVPN End-to-End Architecture
18. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Network Services Orchestrator (NSO)
PnP Server
CloudVPN with ISR CPE Use Case
Elastic Services
Controller (ESC)
Tenant Portal
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality
Zero Touch Provisioning
OpenStack
X86ServerCloudVPN Connectivity up
Provision
CSR
ISR CPE Shipped to Customer
Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1
Configuration
Establish VPN: IPSec, IP Overlay
(VXLAN, GRE, LISP), L2
DCI/PE
CSR1Kv
Spin up CSR
19. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CloudVPN - Adding VNFs In The Cloud
Elastic Services
Controller (ESC)
Tenant Portal
Network Services Orchestrator (NSO)
REST API REST API
SP’s OSS/BSS
ISR CPE
PnP Functionality
Zero Touch Provisioning
OpenStack
CSR1Kv ASAv
X86Server
Internet
Gateway
vESA
CloudVPN Connectivity up
If more VNFs are needed
for a Service Chain ?
ISR CPE Shipped to Customer
Site, connected & Powered ON
Customer Orders VPN Service
Provide Day 1
Configuration
Establish VPN: IPSec, IP Overlay
(VXLAN, GRE, LISP), L2
PnP Server
DCI/PE
VTF
More scalable and flexible
service chaining enabled with
VTC & high-performance VTF
OVS
20. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
vFW
vDDoS
vR
CPE
CPE
CPE
vISE
Internet
Router
vWSA
6
vIPVPN with BYOD, FW, RA, WebSec, DDoS
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote access incl.
remote end-host security posture verification.
- vISE for BYOD svc auth (AAA, trust-sec label
to IP binding)
- vWSA for Enhanced Web Security
- vDDoS (Radware DefensePro) for volumetric
and application DDoS visibility and mitigation
services
6
vIPVPN with BYOD, FW, RA, WebSec,
ngIPS
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote access
incl. remote end-host security posture
verification.
- vISE for BYOD svc auth (AAA, trust-
sec label to IP binding)
- vWSA for Enhanced Web Security
-vNG-IPS (SourceFire) for advanced
threat protection and real-time
contextual awareness
5
vWSA
vFW
vNG-
IPS
vR
CPE
CPE
CPE
vISE
Internet
Router
vNG-
IPS
5
vIPVPN with BYOD, FW, RA, EmailSec
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote access
incl. remote end-host security posture
verification.
- vESA for Critical Information Protection
(inbound and outbound Emails)
4
vESA
vFWvR
CPE
CPE
CPE
Internet
Router
DMZ
email
server?
4
vIPVPN with BYOD, FW, RA, WebSec
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote access
incl. remote end-host security posture
verification.
- vISE for BYOD svc auth (AAA, trust-
sec label to IP binding)
- vWSA for Enhanced Web Security
3
vWSA
vFWvR
CPE
CPE
CPE
vISE
Internet
Router
3
vWSA
vIPVPN with BYOD, FW and RA
- vFW with NAT and FW policy.
- vFW with IPSec/SSL remote
access incl. remote end-host
security posture verification.
- vISE for BYOD svc auth (AAA,
trust-sec label to IP binding)
2
vFWvR
CPE
CPE
CPE
Internet
Router
vISE
2
vIPVPN with FW and RA
- vFW with NAT and FW policy.
- vFW with IPSec/SSL Remote
Access (RA) incl. remote end-host
security posture verification.
1
vFWvR
CPE
CPE
CPE
Internet
Router
1
vWSA
vESA
vISE
vNG-
IPS
vFW
vDDoS
web security
appliance
email security
appliance
identity services
engine
fire wall
intrusion protection
system
ddos mitigation
services
vR
vLB
Internet
Router
router
load balancer
Internet
Router
Packet service nodes
L2
L3
Termination points
tunnel
local link
Packet links
unclassified
BYOD AAA
http requests
email (inside&outside)
DDoS threat
IPSec/SSL
IPS threat
Packet flows
CloudVPN Service Topologies
21. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Operator
Portal
User
Portal
CloudVPN – Soft Real-Time Orchestration Loop
ISR CPE
CSR
ESC
Openstack
CloudVPN
Function Pack
NCS
ASAv
ISR CPE
ISR CPE
NETCONF
Console
NCS
CLI, NBI
Service models and
implementation
22. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
ISR CPE
CSR
ESC
Openstack
NCS
ASAv
ISR CPE
ISR CPE
CREATE SERVICE
UPDATE SERVICE
DELETE SERVICE
Changed
network state
(PnP, ESC
notifs) trigger
service
redeploy
REDEPLOY
SERVICE
FASTMAP
CloudVPN – Soft Real-Time Orchestration Loop
ESC and NCS Interaction
allows for dynamic Service
creation and Update
23. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
node.4node.3 node.5
network topology model
node.1
node.2
nodeslinks termination_points
link.1
link.2
link.3 link.4
tp.1
tp.2
tp.3
tp.4
tp.5 tp.6 tp.7 tp.8
[Example of a network topology model]
CloudVPN – zooming in on the modeled
Networking Layer
24. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
- S2S: inter-site VPN with CPE-to-VR tunnels;
- RA: VFW with encrypted Remote Access (RA) incl.
remote end-host security posture verification;
- FW-INET: VFW with NAT44 and stateful FW policy
for Internet connectivity;
CVPN-S2S-RA-FW-INET
VFWVR Internet
CVPN-S2S-RA-FW-INET
network service topology
RACPECPE
CPECPE
RA
RAC
RAC
VFWVR Internet
RACPECPE
CPECPE
RA
RAC
RAC
CVPN-S2S-RA-FW-INET
packet flows
unclassified
http requests
DDoS threat
SSL
IPS threat
packet flows
NAT44’ed
WCCPv2 redirect, http only
IP fwding, static or dynamic route
SSL termination
ACL based forward
pkt processing & fwding
NAT44
local connection
tunnel connection
links
L2, Ethernet
L3, IPv6 and/or IPv4
termination points
[Example of a network topology model]
25. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
cpe-01
r2
esc-01
br-outside-01
Gig0/1
cisco-isr
eth4.100
eth1
eth4
compute-01
cisco-ucs esc
ovs-network
Topology: dt_mvp1_underlay
Tags: sjc_lab, underlay
cpe-01
router-01
cisco-isr
ipsec_vpn
Topology: dt_mvp1_overlay
Tags: overlay
ipsec_tunnel
cisco-
csr1000v
cpe tunnel
cpe-01 tunnel-01 router-01
uni cpe csr nni
Virto: myvpn
Tags: sjc_lab
vFirewall
VRF
ovs-
network
vWSA
vBridge
cisco-
asa100V
cisco-vwsa
vBridge
ovs-
network
Virtual
Routercpe
br-01
bridge
bridge inside outside
wsa
router firewall firewall gateway
wsa-01
firewall-01 br-02
br-01
external
network
internet
br-internet-01
IVRF
firewall-01
wsa-01
eth0
eth1
eth2
Gig1 Gig2
Gig1 Gig2
eth0
Gig0/1 cpe-01.Gig0/1 router-01.Gig1
Gig1 Gig2
Unmanaged IP
Network
tp2
tp1
eth4.101
eth4
eth1
tp3
module: virto
+--rw virto [id]
...
| +--rw topology-types?
| | +--rw cvpnv:cloudvpn-virto?
| +--rw tags* string
| +--rw supporting-topology [id]
...
| +--rw node [id]
...
| | +--rw node-type?
| | | +--rw cvpnv:cloudvpn-virto
| | | +--rw cvpnv:cpe?
| | | +--rw cvpnv:tunnel?
| | | +--rw cvpnv:vRouter?
| | | +--rw cvpnv:vFirewall?
| | | +--rw cvpnv:vAAA?
| | | +--rw cvpnv:vWSA?
| | | +--rw cvpnv:vESA?
| | | +--rw cvpnv:vIPS?
| | | +--rw cvpnv:vDOS?
| | | +--rw cvpnv:network?
...
| | +--rw supporting-node* node-ref
| | +--rw termination-point [id]
...
| | +--rw function?
...
| +--rw link [id]
...
+--rw occupancy
...
Underlay
Overlay
Virto
26. © 2015 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
• Key Focus areas
• CloudVPN Use case
• CloudVPN Architecture
• CloudVPN as a Service Delivery Platform
• Summary
26
27. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Service Platform Characteristics
Modularity & Interoperability
" Reusable & flexible; interoperable components; consistent APIs & open interfaces
Open Innovation, Open Source, Standards
" Standardization & development of open, multi-vendor solutions
Scale & Simplify the Network
" Virtualization & programmability; multi-layer convergence &
interoperability, automated solutions
Increase Value for Partners, Customers, Users
" New user experiences, faster time-to-market, new consumption & business models
Modular
Simple &
Scalable
Standards-
Based
Interoperable
Open
Multi-Vendor,
Multi-Environment
Flexible Infrastructure;
New Classes of
Applications
Open & Interoperable
Solutions; Standards &
Open Source
Modular & Reusable
Components
28. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Generalized Orchestration Model
Operations and Life-Cycle
management of infrastructure
Domain Controllers
Svc Producer Layer
Infrastructure
Physical and Virtual
Operations and Life-Cycle
management of Services
Cross Domain Service Lifecycle
Orchestration
Principles
! Functional architecture
comprised of a layered,
loosely coupled distributed
system components
! Functions can operate and
evolve independently
! Functions can be deployed
in combination or isolation
! Each layer abstracts the
detail of what is below it
from any functions above
Domain Controller
or Orchestrator
Domain Controller
or Orchestrator
Domain Controller
or Orchestrator
API
Service Consumer Lifecycle
Management
Svc Consumer Layer
Consumer Facing Service
VIRTUAL
NETWORK
FUNCTIONS
TENANT
VMs PHYSICAL
PACKET /
OPTICAL
NETWORK
COMPUTE / STORAGE
DomainDomain
29. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
CloudVPN Model Driven Architectural Approach
• Services are driven with an E2E
Scope.
• E2E Scope is model driven.
• Models have both a Service
and Device component.
• Service-Network mappings bind
Service Models to Network and
Device Instantiations.
• Models need to span across the
multi-domain CVPN service
path.
Prem Access WAN Compute
CPE
L2NID
MX
ISR
Metro
VNF
Service Chaining
ME36xx 9K
CRS
3rd Party
CSR
vASA
…
Service
Models
Svc-Ntwrk
Models
Device
Models
NCS
Service Definition
Service Definition
Service Definition
Router VNF
x86
…
30. © 2015 Cisco and/or its affiliates. All rights reserved.PSOPS-2455 Cisco Public
Business Operations, BSS
All
Access
MSAN
OLT
LTE
Data Center
User
Area
DC
Packet Network
DC
Internet&peerings&
So-&Real1Time&SDN&
Orchestra9on&and&OSS&
Packet flows
Internet
Services
Physical: IP Optical Network x86 Compute
Logical: IP and Overlay Transport (Virtualized) Service Creation
Converging to Software Driven Architecture – Addressing the
Hunger Gap
Programmability: YANG over NETCONF, RESTCONF, RESTful , JSON
Control: Soft Real Time Network OSS Soft Real Time Compute
Orchestration
Reduce Marginal Cost of Service Creation to ~0
Eliminate human operator intervention; Integrate custom IT back-end
S
D
N
Data Model
Driven
Adaptation
devices
topologies
topologies
services
agents
plugins
controllers
automation
e2e services
abstractionstack
decomposition
31. CloudVPN – A Programmable Platform for SP’s to evolve their
VPN offerings with Cloud integration with a lower TCO (agility,
automation, simplification) and low marginal cost achieved through
Virtualization and SDN enablement.