Tungsten Fabric Overview Sukhdev Kapur Openstack Summit Berlin

Tungsten Fabric Overview Sukhdev Kapur Openstack Summit, Berlin November 14, 2018

MISSION Build the world’s most ubiquitous, easy-to-use, scalable, secure, and cloud-grade SDN stack, providing a network fabric connecting all environments, all clouds, all people. https: //tungsten. io/

CODE • 2013 -Today: >300 years of work • 200 -300 developer contributions • ~100 active developers • Languages: C++, Python, Node, Go • Apache 2. 0 license • Part of the Linux Foundation Networking • Git. Hub repositories • Gerrit review processes • Launchpad bug tracking and blueprints • Other OSS used: Cassandra, Kafka, HAproxy, Docker, Keystone

COMMUNITY Principles: • Open and inclusive • Provide strong technical and architectural oversight • Competitive ideas welcome • Rough consensus and running code will always win • Iterate and evolve

COMMUNITY JOIN • tungsten. io/slack • https: //lists. tungsten. io • tungsten. io/community • Online: • • • Downloads and trial sandbox Talk with 900+ people: Slack, Mailing lists Follow: Blog, You. Tube, Facebook, Twitter Git. Hub: Presentations, Tutorials Live (see calendar) : • Conferences: Open. Stack, Kube. Con, ONS, Re: invent and GC Next • • • Meetups: host your own or join some User Group events: often at conferences Governance summits • Groups: Governance, Technical, Infrastructure • Community manager: Randy Bias (Acting)

COMMUNITY MEMBERS your logo here

Networking In Data Center Networking is most overlooked and underestimated component in any stack Networking is focal point for most of the security and scalability issues Tungsten Fabric is fully distributed and Microservices based SDN controller addressing security, scale and advance networking services Production grade networking stack for Data Center and Public & Edge cloud Highly available and ISSU (In Service Software Upgrade) support Full Fabric Management – Overlay & Underlay Networks

Tungsten Fabric as SDN Controller RULE THEM ALL WITH ONE automated secure open SDN Controller Public & Private Iaa. S Caa. S & Paa. S VMs or Metal

PAST, PRESENT & FUTURE v 1 v 2 v 4 v 3 v 5+ • Docker & ESXi runtime support • Kubernetes and CNI support • VMware v. Sphere support • Open. Shift and Mesos support • DPDK v. Router • Containerize project • Prototype with Kubernetes v 1. 1 • New install w/ Ansible or Helm • Open. Stack networking at scale • Node-port service chaining • NFV service chaining • Improve analytics with Kafka • Analytics collection/querying • LBaa. S • REST API and GUI • To. R switch as OVSDB gateway • Microservices • Security focus • Multicloud deployability • Switching fabric focus • Declarative network as code

FEATURES

Architecture Overview

USER EXPERIENCE NORTH-BOUND API • REST API • HTTPS authentication and rolebased authorization • Used for GUI • Used for declarative configurations as code • Generated from data model GUI

LOGICAL (Policy Definition) Visualizing Tungsten Fabric’s Operational Effects Security Groups TF Security Policy (e. g. allow only HTTP traffic) VIRTUAL NETWORK GREEN G 1 G 2 G 3 Non-HTTP traffic Service Chain Policy with a Firewall VNF VIRTUAL NETWORK BLUE B 1 B 2 B 3 PHYSICAL (Policy Enforcement) Intra-network traffic VIRTUAL NETWORK YELLOW Y 1 Y 2 Y 3 Inter-network traffic traversing a service VM and virtualized Network function pool G 1 Y 1 B 3 G 3 B 1 Host + Hypervisor … IP fabric (switch underlay) G 2 B 2 Y 3 Host + Hypervisor …

Seamless Multi-Cloud Overlay SDN Ubiquitous Security – Centralized security policy orchestration with distributed enforcement across multiple clouds Virtual Networking: Overlay Virtual Networking provides connectivity for VM’s and Containers Multicloud SDN Overlay SDN Distributed Compute Platforms: Leverage the right balance of edge compute, private cloud compute, and public cloud compute to deploy services Performance and Scale: Manage remote compute resources, high performance virtual network functions, and containers using the same tools Users Telco POPs Private Cloud DC Public Cloud VPC

Tungsten Fabric v. Router Architecture & Overview Host Compute v. Router Agent Config VRFs User space Policy Table Virtual Machine (Tenant A) Virtual Machine (Tenant B) tap-abc tap-xyz Netlink pkt 0 v. Router Kernel Routing Instance vhost 0 Kernel space XMPP eth. X OR bond. X Control Node v. Router Agent • Exchanging control state such as routes with the Control nodes using XMPP. • Receiving low-level configuration state such as routing instances and forwarding policy from the Control nodes using XMPP • Reporting analytics state such as logs, statistics, and events to the analytics nodes. • Installing forwarding state into the forwarding plane • Discovering the existence and attributes of VMs in cooperation with the Nova agent. • Applying forwarding policy for the first packet of each new flow and installing a flow entry in the flow table of the forwarding plane. • Proxying DHCP, ARP, DNS v. Router Kernel/DPDK • Encapsulating packets sent from the overlay network and decapsulating packets received for the overlay network. • Packets received from the overlay network are assigned to a routing instance based on the MPLS label or Virtual Network Identifier (VNI). • Doing a lookup of the destination address of the in the Forwarding Information Base (FIB) and forwarding the packet to the correct destination. The routes may be layer-3 IP prefixes or layer-2 MAC addresses. • Doing RPF check before sending Virtual machine traffic to destination. This is configurable.

VROUTER DEPLOYMENT MODELS DPDK VROUTER KERNEL VROUTER v. Router Agent VM 1 VM 2 … ▪ This the normal operation where fwding plane of v. Router runs in the kernel and are connected to VMs using TAP interface (or veth pair for containers) v. Router Agent VM 1 VM 2 ▪ Requires the VMs to have DPDK enabled for performance benefits SMARTNIC VROUTER SRIOV/ VROUTER COEXISTENCE v. Router Agent VM 1 VNF 2 … ▪ Sometimes a VNF can have multiple interfaces some of which are SRIOV-ed to the NIC ▪ Interfaces that are SRIOV-ed into NIC don’t get the benefits / features of v. Router ▪ v. Router runs as a user space process and uses DPDK for fast path Packet I/O. ▪ Full set of SDN Capabilities Supported ▪ v. Router itself is enhanced using other performance related features: o TSO / LRO o Multi-Q Virtio ▪ Some workloads can directly SRIOV into the NIC, while others go through the v. Router … v. Router Agent VM 1 VM 2 … ▪ v. Router fwding plane runs within the NIC ▪ Workloads are SRIOVconnected to the NIC

The Latest from Tungsten Fabric Housekeeping ➢ Microservices architecture ➢ Better cloud native deployment options Container SDN VM’s and NFV ➢ Comprehensive support for Network objects ➢ Improved flow performance and management ➢ Ingress/Egress Network Policy ➢ SDN for Edge Compute – Beta Quality ➢ High performance load balancing

Tungsten Fabric Kubernetes Support (helm)

What is Tungsten Fabric Helm charts? Tungsten Fabric Helm

Open. Stack and TF Helm Overview Open. Stack Helm Tungsten Fabric Helm Open. Stack & TF Helm Solution

Tungsten Fabric Integration with k 8 s * Contrail-Kube-manager listens to K 8 s API Server and conveys the API request to Contrail Controller Namespace: kube-system API Server kubectl (user commands) Controller/Replication Manager Scheduler POD 1 Kubelet Discovery Dashboard Contrail-kube-mgr … Contrail Controller POD 2 POD 3 Kubelet CNI Plugin Compute Node-01 etcd v. Router (replaces kube-proxy) Contrail Analytics POD 4 CNI Plugin Compute Node-02 v. Router (replaces kube-proxy)