How to Implement SDN Technology in ITB Affan BasalamahSDN/NFV Days ITB 201621-03-2016

# whoami• Affan Basalamah

• Head of IT Development

• Direktorat Sistem Teknologi Informasi (DSTI)

• Institut Teknologi Bandung

• affan@itb.ac.id

• @affanzbasalamah

Pesan dari Presentasi ini• Saya tunjukkan bagaimana sebuah perguruan tinggi

teknologi membuat jaringan dalam kampus menjadi platform riset teknologi SDN/NFV tanpa mengganggu jaringan production

Jabatan saya: IT• Apa yang harusnya saya lakukan:

• Connecting

• Connecting who?

• Academic/Research in ITB

• with: IT/Telco Industries outside: telco, tech vendor

Institut Teknologi Bandung Aula Barat ITB

Gedung PAU ITB

Era Kabel Kuning dan WaveLAN

Era Cisco Catalyst 6500, Fiber Optic dan PC Router

Campus Core Network

Apa yang telah dicapai• 20 tahun yg lalu ITB pernah membuat sebuah network

yang menghasilkan:

• Production network & development network

• Tidak ada SLA pada waktu itu

• Expert, dgn knowledge dan experience

• Dosen sebagai network/system admin

• Student volunteer sebagai network/system admin

Apa yang ingin dicapai• Dalam 2-3 tahun kedepan membuat sebuah network

yang mampu menghasilkan:

• Production network & development network

• Di saat SLA layanan IT & Internet sangat ketat

• Expert, dgn knowledge dan experience

• Dosen & students sebagai researcher

• IT sebagai developer

20161996 Future????

Expert w/ Knowledge Experience

Network Services

Expert w/ Knowledge Experience

Bagaimana mencapainya?• SDN-supported Datacenter, Core, dan Access Network

• Experimen SDN di ITB dapat memakai network ini

• Tanpa mengganggu production network

• SDN/NFV Research/Development activities

• SDN/NFV Labs, Testbeds, Research Center

• SDN/NFV Communities

Networking in 5+ minutes

What kind of networks• Edge: Connecting External Networks

• Datacenter: All of the application system

• Core: Networking highway

• Access: Connecting Endpoints

Network Components• Switching: Ethernet Switch, WiFi AP

• Routing: IP Router

• Services: Firewall, NAT, ADC

Production Network• Access to Edge via Core (outgoing)

• Access to Datacenter via Core (outgoing)

• Edge to Datacenter via Core (incoming)

• Datacenter to Datacenter via Core

• Every connection has network policies

• ACL, authentication, authorization, content policy

Experimental Network• Experiment access to Edge via Core

• Experiment access (labs) to Datacenter via Core

• Experiment cloud Datacenter to Datacenter via Core

• Experiment Edge to Datacenter (labs) via Core

• The policies are there are no network policies

• Firewall open, no authentication, etc.

Running under same equipment• Core Switch

• Datacenter switch

• Access switch

Campus Core Network

PAU Labtek V

Labtek VIII

CCAR

CRCS

PAU Labtek V

Labtek VIII

CCAR

CRCS

3 Tahap • Mengenal Jaringan

• Mengenal teknologi yang bisa dipakai

• Rencana & pelaksanaan Implementasi

ITB Enterprise Network

Core Network • 1 GbE optical & 1GbE copper

• 10 GbE optical, Ready for 40/100 GbE

• Enterprise features: STP, VLAN, OSPF, BGP, IPv6

• Service Provider: MPLS, L3VPN, L2VPN, VPLS

• Software Defined Network (SDN): OpenFlow v1.0/1.3

• Brocade MLXe-8 & Juniper EX9200

Enterprise Network Technology• L2 Switching

• L3 Routing: OSPF

• IPv6 Routing (OSPFv3, BGP)

• IPv6 Multicast Routing

• Policy Based Routing (PBR) and Access Control List (ACL)

• Existing network working as usual

High Availability Features• Redundant Management Module

• Redundant Power Supply with new UPS

• Link Aggregation Groups (LAG)

• BiDirectional Forwarding Detection (BFD)

Network Security Features• Management network CPU protection

• L2 ACL, IPv4 & IPv6 ACL

• SSH & SCP authentication via TACACS+ & RADIUS

• DDoS Rate Limit Protection

Management Network• Dedicated ethernet management port

• SNMP

• TACACS+ & RADIUS

• Support RANCID

• NTP

• Syslog

• SFlow

• NETCONF

Datacenter Network• 10 GbE & 40 GbE interfaces

• Supporting Server technology:

• HPC Blade

• Cloud computing

• iSCSI Storage Area Networking

Ethernet Fabric• L2 for virtualization & cloud

• Inter datacenter with VPLS from Core Network

• VMware vCenter management & OpenStack plugins

• Fabric Ethernet technology with TRILL

• Brocade VDX6740 Fabric Ethernet Switch

Edge Gateway Network• Juniper MX80 for Gateway Router

• Juniper SRX650 for Firewall

• Sophos UTM650 for DPI

• Brocade ADX1000 for Application Delivery Switch

• Cisco ASR1002 for NREN Gateway Router

Access Network• L2 switches, mixed of:

• Brocade ICX6430/6450

• Juniper EX2200

• Cisco Catalyst 3560

• VLAN & Spanning-Tree

• Security features: DHCP snooping, 802.1x

Wireless Network• Ruckus Wireless

• Wifi Controller

• Wifi Access Point Indoor

• Ready for 3G Offload in Campus

• Wifi Access Point Outdoor

Management Network• Support for existing: SNMP, CLI, feeding Cacti & Nagios

• Management VRF

• SFlow for data collection & telemetry

• New apps with SFlow-RT with OpenFlow

• NETCONF & YANG

• Support new application

Brocade MLXe-8 Core Network

Brocade MLXe-8 Core Network

Campus Core Network

Campus Core Network

PAU Labtek V

Labtek VIII

CCAR

CRCS

Core & Access Network

PAU Labtek V

Labtek VIII

CCAR

CRCS

Campus Wifi Network

WiFi Controller

DHCP/DNS/ AAA

Internet

Firewall

DPI-L7

Router

PAU Labtek V

Labtek VIII

CCAR

CRCS

Datacenter Network

SLB

Firewall

DPI-L7

Router

Fabric Ethernet

Fabric Ethernet

Cloud/ BigData/

HPC

Cloud/ BigData/

HPCInternet

PAU Labtek V

Labtek VIII

CCAR

CRCS

Service Provider Network

MPLS Network• MPLS forwarding

• LDP or RSVP or BGP signalling

• L3VPN for new services

• L2VPN for new services

• VPLS for new services

Core & Access Network

PAU Labtek V

Labtek VIII

CCAR

CRCS

MPLS Service Network - L3VPN

Internet

Router

Surveillance Monitor System

Registration & Payment

PAU Labtek V

Labtek VIII

CCAR

CRCS

DPI-L7

Router

Internet

3G/4G Offload Wifi Network

WiFi ControllerCell1Cell2

Cell3

SSID Cell3

SSID Cell3SSID Cell2

SSID Cell2

SSID Cell1

SSID Cell1

DHCP/DNS/ AAA

PAU Labtek V

Labtek VIII

CCAR

CRCS

Wifi Network with VPLS

WiFi Controller

DHCP/DNS/ AAA

Internet

Firewall

DPI-L7

Router

PAU Labtek V

Labtek VIII

CCAR

CRCS

Datacenter Network with VPLS

SLB

Firewall

DPI-L7

Router

Fabric Ethernet

Fabric Ethernet

Cloud/ BigData/

HPC

Cloud/ BigData/

HPCInternet

PAU Labtek V

Labtek VIII

CCAR

CRCS

Research & Education Network

OpenFlow SDN• Core network support OpenFlow v1.0

• Hybrid Port Mode with Protected & Unprotected VLANs

• Protected VLANs is not subject to defined OpenFlow flows

• Regular network can coexist with OpenFlow

• VPLS support on VLAN on OpenFlow Hybrid Mode

• L2 mode & L3 mode

• OpenFlow actions & counters

Management, Control & Data Planes

14 © ipSpace.net 2013 SDN, OpenFlow and NFV for Skeptics

Management, Control and Data Planes

Adjacent routerAdjacent router Router

Control planeControl plane Control plane

Data plane Data planeData plane

OSPF OSPF

Neighbortable

Link statedatabase

IP routing table

Static routes

Forwarding table

Switching

Routing

OSPF

Management / Policy plane

Configuration / CLI / GUI

This material is copyrighted and licensed for the sole use by Affan Basalamah (affan@itb.ac.id [202.152.202.105]). More information at http://www.ipSpace.net/Webinars

Existing toolbox for SDN

22 © ipSpace.net 2015 SDN – Four Years Later

SDN Toolbox: Existing Tools!

Router

Control plane

Data plane

Neighbortable

Link statedatabase

IP routing table

Static routes

Forwarding table

OSPF

Management / Policy plane

Configuration / CLI / GUINETCONF

ForCES, BGP Flowspec, MPLS-TP

PCEP

BGP SNMP

This material is copyrighted and licensed for the sole use by Affan Basalamah (affan@itb.ac.id [180.214.233.86]). More information at http://www.ipSpace.net/Webinars22 © ipSpace.net 2015 SDN – Four Years Later

SDN Toolbox: Existing Tools!

Router

Control plane

Data plane

Neighbortable

Link statedatabase

IP routing table

Static routes

Forwarding table

OSPF

Management / Policy plane

Configuration / CLI / GUINETCONF

ForCES, BGP Flowspec, MPLS-TP

PCEP

BGP SNMP

This material is copyrighted and licensed for the sole use by Affan Basalamah (affan@itb.ac.id [180.214.233.86]). More information at http://www.ipSpace.net/Webinars

Emerging toolbox for SDN

23 © ipSpace.net 2015 SDN – Four Years Later

SDN Toolbox: Emerging Protocols!

OF-Config, XMPP, OVSDB, Puppet/Chef

OpenFlow

I2RS, OVSDB

OnePK

Router

Control plane

Data plane

Neighbortable

Link statedatabase

IP routing table

Static routes

Forwarding table

OSPF

Management / Policy plane

Configuration / CLI / GUI

This material is copyrighted and licensed for the sole use by Affan Basalamah (affan@itb.ac.id [180.214.233.86]). More information at http://www.ipSpace.net/Webinars

23 © ipSpace.net 2015 SDN – Four Years Later

SDN Toolbox: Emerging Protocols!

OF-Config, XMPP, OVSDB, Puppet/Chef

OpenFlow

I2RS, OVSDB

OnePK

Router

Control plane

Data plane

Neighbortable

Link statedatabase

IP routing table

Static routes

Forwarding table

OSPF

Management / Policy plane

Configuration / CLI / GUI

This material is copyrighted and licensed for the sole use by Affan Basalamah (affan@itb.ac.id [180.214.233.86]). More information at http://www.ipSpace.net/Webinars

SDN for Device ConfigurationController

Router Access switch

Apps

Core switch

Distrib switch

Core switch

Core switch

Core switch

Core switch

Device configuration

SDN for Service ConfigurationController

Router

Hypervisor

Apps

Core switch

Multitenant VM

Core switch

Core switch

Core switch

Core switch

Service configuration

Hypervisor

ToR switch

Figure 1-6. Storage node

Example Component ConfigurationTable 1-2 and Table 1-3 include example configuration and considerations for boththird-party and OpenStack components:

Table 1-2. Third-party component configurationComponent Tuning Availability Scalability

MySQL binlog-format = row

Master/master replication. However, both nodes arenot used at the same time. Replication keeps allnodes as close to being up to date as possible(although the asynchronous nature of the replicationmeans a fully consistent state is not possible).Connections to the database only happen through aPacemaker virtual IP, ensuring that most problemsthat occur with master-master replication can beavoided.

Not heavily considered. Onceload on the MySQL serverincreases enough thatscalability needs to beconsidered, multiple mastersor a master/slave setup canbe used.

Example Architecture—OpenStack Networking | 19

Figure 1-6. Storage node

Example Component ConfigurationTable 1-2 and Table 1-3 include example configuration and considerations for boththird-party and OpenStack components:

Table 1-2. Third-party component configurationComponent Tuning Availability Scalability

MySQL binlog-format = row

Master/master replication. However, both nodes arenot used at the same time. Replication keeps allnodes as close to being up to date as possible(although the asynchronous nature of the replicationmeans a fully consistent state is not possible).Connections to the database only happen through aPacemaker virtual IP, ensuring that most problemsthat occur with master-master replication can beavoided.

Not heavily considered. Onceload on the MySQL serverincreases enough thatscalability needs to beconsidered, multiple mastersor a master/slave setup canbe used.

Example Architecture—OpenStack Networking | 19

Multitenant VM

SDN for RIB/FIB AdjustmentsController

Router Access switch

Access point

Hypervisor

Apps

Core switch

Distrib switch

Core switch

Core switch

Core switch

Core switch

Routing & Forwarding Adjustment

BGP-LS, PCEP, Quagga

MPLS-TE automatic tunnel

Centralized Control Plane - OpenFlow

Router Access switch

Access point

Hypervisor

Apps

Core switch

Distrib switch

Core switch

Core switch

Core switch

Core switch

Forwarding flow (e.g. 11-tuples)

OpenFlow

SDN for DDoS ProtectionOpenFlow

-RT DDoS

User

PAU Labtek V

Labtek VIII

CCAR

CRCS

Network Slicing with OpenFlowFlowVisorOpenFlow

C1C2C3

Slice 1

Slice 2

Slice 3

PAU Labtek V

Labtek VIII

CCAR

CRCS

Software Defined NetworkOpenFlow

Juniper MX80 Mikrotik

OpenWRT

OpenvSwitch

Apps

PAU Labtek V

Labtek VIII

CCAR

CRCS

SDN, Cloud & DevOps Tools

Mininet

Opensource SDN Process Simplified

SDN Activities & Research

SDN Activities in Campus• Existing:

• SDN Course in ITB: Telecommunication Engineering : EL5244 - Software Defined Networking by by Dr.-Ing. Eueung Mulyana

• SDN Testbed Trial di Campus Backbone (Tugas Akhir)

• OF@TEIN

• Coming possibility:

• SDN/NFV Labs and Research Center

• SDN/NFV Testbed between campus in Indonesia

SDN Course in ITBTelecommunication Engineering : EL5244 - Software Defined Networking

• Lectured by Dr.-Ing. Eueung Mulyana

Thesis/Final Projects:

• Design & Implementation of Multicast Streaming Application on A Local OpenFlow Network

• Design & Implementation of MPLS Service on OpenFlow Network with Open vSwitch

• Implementation & Analysis of Elastic Load Balancing for DNS Service on OpenStack Cloud

• Sustainable Campus-Scale OpenFlow Testbed at ITB

• Design & Implementation Site-to-Site IPsec VPN on OpenStack

Design & Implementation of Multicast Streaming Application on A Local OpenFlow Network

Dummy%client

Streaming%server OpenFlow%Controller

Client%1 Client%2 Client%3

Design Multicast Video Streaming Application on Unicast Network Using Floodlight (OF1.0)

Campus-Scale OpenFlow Testbed

Campus-Scale OpenFlow Testbed

Campus-Scale OpenFlow Testbed

Possibility• SDN/NFV Labs to Research Center

• SDN/NFV Testbed antar campus di Indonesia

SDN/NFV Labs• Laboratorium SDN/NFV

• Proof of concept for SDN/NFV application

• Start from the labs, experiment across campus

• Expanding to SDN/NFV Research Center

SDN/NFV Test Bed• Experimental test bed across campus

• Extending test bed between campus/research group

• Leveraging Indonesia Research Education Network

What’s Next: Collaboration

But don’t forget the human• Pengembangan human resource

• SDN/NFV community in ITB

• Activity: discussion, small labs, seminar

• Next step: meetup, small workshop

• Extending to: seminar, workshop, training

SDNRG ITB• SDN Research Group at ITB

• http://sdnrg.itb.ac.id

• sdnrg@itb.ac.id

• twitter.com/sdnrgitb

• facebook.com/sdnrgitb

• Special Interest Groups on Networking and Connected Services (e.g. OpenStack, Internet of Thing)

But why?

• SDN & Cloud Computing is multidiscipline topics

• No entities can understand it all completely

• Academics, Operators & Vendors needs each others:

• Academics need real use case for their research

• Operators need help for their problems

• Vendors need customers to propose their solutions

SDNRG ITB can bridge the gaps

• Academic can get real use case from practitioners

• Networkers can get help understanding SDN tech

• Vendors can promote SDN tech to educated community

After the gaps is small, whats next?

• Educated researchers can build SDN tech solutions for practitioners that fit to the real use case

• Educated networkers can architect better SDN solutions that leads to better network, with help from researchers & vendors

• Educated vendors can propose SDN solutions to the right customers

SDNRG 1st Meetup, Bandung 2014

OpenStack Mini Workshop, Bandung 2015

The Message• Saya tunjukkan bagaimana sebuah perguruan tinggi

teknologi membuat jaringan dalam kampus menjadi platform riset teknologi SDN/NFV tanpa mengganggu jaringan production

Let’s make it happen!

Terima kasih!