Page 1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.
Programovatelnost síťových zařízení Příklady využití OnePK v komunikačních architekturách
Praha, hotel Clarion
10. – 11. dubna 2013
T-SDN2 / L2
Pavel Křižanovský
Page 2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2
Agenda
Úvod – SDN, One, OnePK ?
Koncept OnePK
OnePK API a příklady použití
Shrnutí
Page 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 3
Agenda
Úvod – SDN, One, OnePK ?
Koncept OnePK
OnePK API a příklady použití
Shrnutí
Page 5
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5
“A platform for developing new
control planes”
“An open solution for VM
mobility in the Data-Center”
“An open solution for customized flow forwarding
control in and between Data Centers”
“A means to do
traffic engineering
without MPLS”
“A way to
scale my
firewalls and
load
balancers”
“A solution to build a very large
scale layer-2 network”
“A way to build my own
security/encryption solution”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A way to optimize broadcast TV delivery
by optimizing cache placement and
cache selection”
“A means to scale my fixed/mobile
gateways and optimize
their placement”
“A solution to build virtual
topologies with optimum
multicast forwarding behavior”
“A way to optimize link utilization in my network
enhanced, application driven routing”
“A means to get assured
quality of experience for
my cloud service offerings”
“A way to distribute policy/intent, e.g.
for DDoS prevention, in the network” “A way to configure my entire network
as a whole rather than individual
devices”
“A solution to get a global view of the
network – topology and state”
“Develop solutions at software speeds: I don’t
want to work with my network vendor or go
through lengthy standardization.”
Page 6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6
“A platform for developing new
control planes”
“An open solution for VM
mobility in the Data-Center”
“An open solution for customized flow forwarding
control in and between Data Centers”
“A means to do
traffic engineering
without MPLS”
“A way to
scale my
firewalls and
load
balancers”
“A solution to build a very large
scale layer-2 network”
“A way to build my own
security/encryption solution”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A way to optimize broadcast TV delivery
by optimizing cache placement and
cache selection”
“A means to scale my fixed/mobile
gateways and optimize
their placement”
“A solution to build virtual
topologies with optimum
multicast forwarding behavior”
“A way to optimize link utilization in my network
enhanced, application driven routing”
“A means to get assured
quality of experience for
my cloud service offerings”
“A way to distribute policy/intent, e.g.
for DDoS prevention, in the network” “A way to configure my entire network
as a whole rather than individual
devices”
“A solution to get a global view of the
network – topology and state”
“Develop solutions at software speeds: I don’t
want to work with my network vendor or go
through lengthy standardization.”
Simplified Operations
New Business
Opportunities
Enhanced Agility
Page 7
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7
Cisco Open Network Environment – ONE
Preserve What is Working
• Resilience, Scale, Security
• Functionality and Rich Features
• Instrumentation
Evolve for New Requirements
• Operational Simplicity and Automations
• Programmability and Network-Awareness
• Upcoming Innovations
Open and Integrated Framework
• Software Defined Network concepts are a component of the Open Network Environment
• Existing APIs, Agents, Controllers and Infrastructure contribute
Open Network Environment
Open Network Environment
Network
Programming
onePK
developer.cisco.com,
CDN, Training,
Certification,
Partners, EEM, EASy
(Software)
Architectures and
Patterns
Controllers
(ONE/Openflow PoC)
(SBC, WLC, +++)
CIN, CloudConnect,
Sentinels, Agents
Deployment and
Virtualization
Nexus 1000v
CSR 1000v
VSG and vFW/ASA,
vWAAS, vNAM, …
Cisco Openstack Ed
Blade Hosting
(UCS-E, …), Virtual
Containers (AirVision,
Cat, ISR, ASR, …)
Scenarios and Motivations
Page 8
New Paradigm Traditional Approach
Evolving How We Interact With The Network Operating System
App
C
Java
...
Network OS
Events
App
EEM (TCL) Actions
Routing
Data Plane
Policy
Interface
Monitoring
Discovery
CLI
AAA
SNMP
HTML
XML
Syslog
Span
Netflow
CDP
Routing Protocols
An
yth
ing
yo
u c
an
th
ink o
f
Page 9
Introducing One Platform Kit - onePK
Any Cisco
Router or
Switch
Applications
That YOU
Create
onePK
Flexible development environment to:
• Innovate
• Extend
• Automate
• Customize
• Enhance
• Modify
Page 10
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 10
Who Will be the Network Programmer?
Applications
That WHO
Creates?
onePK
Developer Network Engineer
Network, IOS Skills
Scripting Skills
Programming Skills
Expertise Network-centric use cases
Scripts, PoCs, HA networks
Application-centric use cases
Scalable, HA applications
Page 11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11
Agenda
Úvod – SDN, One, OnePK ?
Koncept OnePK
OnePK API a příklady použití
Shrnutí
Page 12
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12
onePK Architecture
C, JAVA Program
onePK API Presentation
onePK API Infrastructure
IOS / XE
(Catalyst, ISR, ASR1K)
NXOS
(Nexus Platforms)
IOS XR
(ASR 9K, CRS)
12
Page 13
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 13
onePK API Libraries
Initial Service Sets
Element
• Element Capabilities
• Configuration Management
• Interface/Ports Events
• Location Information
Utilities
• Syslog Events and Queries
• AAA Interface
• Path Trace
Discovery
• Network Element Discovery
• Service Discovery
• Topology Discovery
Developer
• Debug Capabilities
• Tracing Interfaces
• Management Extensions
Data Path
• Packet/Flow Classifiers
• Copy/Punt/Inject
• Statistics
Policy
• Interface Policy
• Interface Feature Policy
• Forwarding Policy
• Flow Action Policy
Routing
• Read RIB Routes
• Add/Delete Application Routes
• RIB Events (Route up/down)
Page 14
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 14
Where Do onePK Applications Run? Choose the Hosting Model that Suits Your Platform and Your Application
14
App
Bla
de
App
App
On An External Server • Plentiful memory/compute
• Higher latency and delay
• Supported on by all platforms
On A Hardware Blade • Dedicated memory/compute
• Low latency and delay
• Requires modular hardware blade
On the Router • Shared memory/compute
• Very low latency and delay
• Requires modular software architecture
Page 15
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 15
Yes, it is secure
15
App Security
Admin Security
Container Security
Runtime Security
Code Security
Digital Signing
Certification Process
CLI Control
Resource Allocation
Access Control (ACL)
Isolation
Resource Consumption
Trusted/Untrusted Containers
Code Isolation
Strong Typing
AAA (PKI)
Encryption (TLS)
Page 16
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 16
Agenda
Úvod – SDN, One, OnePK ?
Koncept OnePK
OnePK API a příklady použití
Shrnutí
Page 17
onePK APIs are Grouped in Service Sets
Base Service Set Description
Data Path Provides packet delivery service to application: Copy, Punt, Inject
Policy Provides filtering (ACL), classification (Class-maps, Policy-maps), actions (Marking,
Policing, Queuing, Copy, Punt) and applying policies to interfaces on network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Element Get element properties, CPU/memory statistics, network interfaces, element and interface
events
Discovery L2 topology and local service discovery
Utility Syslog events notification, Path tracing capabilities (ingress/egress and interface stats,
next-hop info, etc.)
Developer Debug capability, CLI extension which allows application to extend/integrate application’s
CLIs with network element
Page 18
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 18
Getting Properties and Statistics E
lem
ent System
Interfaces
Discovery
Routing
QoS
Security
CPU, Memory, Platform, Serial #, Versions, Uptime,
Location, OIR, CLI Changes
Port, Slot, BW, MTU, TX/RX, BPS, PPS, Errors, Other Stats,
Config, Link Changes
CDP, Topology Graph, Edges, Nodes, Topology Changes
Ap
plic
atio
n
Page 19
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 19
Setting Properties and Statistics
Location
IP address, MTU, Clear Stats, Shut/No Shut
Filters
Key Area for
Future
Enhancements
Ap
plic
atio
n
Ele
ment System
Interfaces
Discovery
Page 20
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 20
Example: Getting System Properties char *str = NULL;
onep_element_connect(elemA, user, pwd, NULL, &sh);
onep_element_get_property(elemA, &property);
if (property) {
onep_element_to_string(elemA, &str);
if (str) {
fprintf(stderr, "\nElement Info: %s\n", str);
free(str);
}
}
Page 21
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 21
Example: Getting System Properties
Page 22
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 22
Example: Simplified Management
NX3K
CRS
9K
1K
ISR
1. Network begins with mismatched
parameters on either side of link (e.g.
MTU)
2. Application checks parameters on either
side and identifies mismatches (red lines)
3. Application sets parameters to match
(lines turn green)
4. Application registers for events related to
parameters change.
5. Users logs into console and manually
changes parameter. Topology indicates
change.
1 2
MTU 1500
MTU 1518
MTU 1518
MTU 1600
MTU 1600
MTU 1500
MTU 1500
MTU 1000
4
5
3
Problem: Misconfigurations cause network outages, degrade performance, impact SLAs.
Value proposition: Get, set, and detect configuration changes via cross-platform API
Page 23
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23
MTU In Action
Page 24
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 25
Getting Policies and Routes
Polic
y
Routing
QoS
Security
RIB, Next-Hop, metric, AD, scope
(VRF), Changes
Configured Classes
Configured ACLs
Ap
plic
atio
n
Page 25
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 26
Setting Policies and Routes
Static routes
Service-Policies (Police, Mark,
Shape, Queue)
ACLs
Polic
y
Routing
QoS
Security
Ap
plic
atio
n
Page 26
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27
Getting and Setting Routes
Get Routes
Set Routes
Page 27
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 28
Unique Data Forwarding Algorithm Highly Optimized for the Network Operator’s Application
Example: Custom Routing Data Center Traffic Forwarding Based on a Custom Algorithm
ISR Pricing Route A Route B
$1
$2
$3
$1
$2
$3
2
3
App
1
Route A
on
eP
K
Destination
Route B
Page 28
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29
Custom Routing Initial Setup: Default routing using EIGRP
Page 29
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 30
Custom Routing Routing for Dollars: Application driven routes installed in network
Page 30
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31
Custom Routing Tracing the application installed route – using the developer and element services
Page 31
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 32
Getting Packets
Data Plane
Ap
plic
atio
n Copy or Punt Packets
Page 32
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 33
Injecting Packets
Data Plane Inject New or Modified Packets
Ap
plic
atio
n
Page 33
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 34
Punting and Injecting Packets (C) TRY(rc, onep_dpss_register_for_packets(
ne1,
dpss,
targ_left,
interesting_class,
ONEP_DPSS_ACTION_PUNT,
encrypt_callback,
(void *)intf_left,
®_handle), "Register for packets");
Defines traffic of interest
Action to take on
interesting traffic
Where traffic goes next
Page 34
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 35
Example: Custom Encryption Problem: Customers want custom encryption on specific traffic types
Value proposition: Punt traffic of interest, encrypt, and re-inject.
onePK application
onePK application
telnet
encrypt
encry
pt
encrypt
telnet telnet
1 1. Policy APIs on ingress router are set to
punt telnet and syslog to app
2. App encrypts punted traffic and re-injects
into data path.
3. Policy APIs on egress router punt telnet
and syslog to app
4. App decrypts punted traffic and re-injects
into data path.
5. Traffic that does not match policy passes
through unencrypted.
2
3
4
http
http
http
Unsecure
Network 5
Page 35
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 36
Custom Encryption in Action
What Client Sees What Wireshark Sees
Page 36
Emergency Response Network Problem: How to deliver secure, trusted, robust, cost-effective broadband connectivity to mobile emergency response units?
Solution: Use Network Programming based on Cisco onePK and Cisco IOS Embedded Event Manager to integrate low-cost, high-bandwidth options with accredited legacy radio connectivity:
Cisco 819
WiFi
1
1. Connect high-bandwidth forward clients via WiFi
EEM
2
2. Use Cisco IOS EEM for onboard system integration and adaptation
Cisco 29xx
PMR Radio
3
3. Use Cisco onePK to redirect IKE key exchange out-of-band via PMR network
Ka Band 4
4. Secure IPSec tunnel via cost-effective high bandwidth Ka Band
5. Reliable, secure emergency response network saving ~4M€ operating cost annually
pramacom COMMUNICATION & OPTICS
Page 37
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 38
What Could You Do With onePK? onePK Sample Applications
Page 38
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 39
Další náměty k nasazení OnePK
Backup interface manipulation
Dynamically apply policy as needed
Firewall Applications / content filtering
Load Balancers
Packet and flow monitors
Traffic capture and injection
Quality of experience troubleshooting
Web management application with REST interface
Management over XMPP
Page 39
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 40
Agenda
Úvod – SDN, One, OnePK ?
Koncept OnePK
OnePK API a příklady použití
Shrnutí
Page 40
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 41
Summary: Portfolio of API, Languages and Abstractions Network Programming with onePK and Embedded Network Automation
Native Network OS Embedded Automation
Event-/Expression- MIB,
PfR, IPSLA Thresholds,
Embedded Event
Manager Applets, …
Advanced Network OS Embedded Scripting
Tcl, Python, Embedded
Event Manager, EASy,
…
Structured API
onePK C
Object Oriented API
onePK Java
Higher-Level Abstractions /
Interfaces
onePK Libraries
REST, XMPP, Design
Patterns, OMNI
Controllers, …
Choice and Flexibility of Implementation
Network Automation – Embedded Automations
Page 41
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 42
Conclusion: Why onePK?
BUILD, AUTOMATE, IMPROVE
SPEED & FASTER ADAPTABILITY
EXTEND
REVENUE & COST SAVINGS
SIMPLICITY, INTEGRATION & THE POWER OF CHOICE
Page 42
© 2011 Cisco and/or its affiliates. All rights reserved. 44 Cisco Connect 44 © 2013 Cisco and/or its affiliates. All rights reserved.
Prosíme, ohodnoťte tuto přednášku.
T-SDN2 / L2
Page 43
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 45
Děkujeme za pozornost.