Intel Network Builders Summit: Key Lessons from an advanced multi-vendor NFV Trial

Editor's Notes

• #4: Anuta is a five year old company; we're a global company with headquarters in Bay Area and our key differentiator when it comes to orchestration is that we are a model driven platform that works for multi-vendor infrastructure. We support more than 35 leading vendor platforms and 100 plus different device models. We support both physical, virtual as well as SDN infrastructure.
• #5: Customers are going through a transition. Many of them have hybrid infrastructure. Some of them are still in the legacy infrastructure, but many are doing a trial on the NFV. And of course some advance customers and MSP’s are looking at SDN as an opportunity to cut down their operating expenses. Anuta builds on top this existing infrastructure and provides a transition path to the upcoming infrastructure. So we provide technology agnostic layer to the business.
• #6: This is a very busy slide as I mentioned, but it captures all the use cases that Anuta's NCX has already been deployed. You see here on the enterprise side, we support multiple use cases such as, Remote branch offices, virtual CPE. And on the service provider side, whether it's MPLS backbone network, public cloud integration, or the service providers enterprise network itself. And we have developed the YANG models; service models for all these use cases. Today we will focus on one simple use case, the virtual data centre. But the same solution works with the entire span of the infrastructure, whether its campus, branch, data center, cloud as well as public cloud.
• #7: Here is a detailed diagram of NCX. Everything in the light blue colour is NCX, in the middle of the diagram. NCX as you see here, the orchestration platform, it sits on top of the physical or virtual infrastructure. We have developed device models using either CLI, NETCONF or SNMP as well as REST API for 35 different industry leading vendors. On the East side we integrate with existing enterprise software. We integrate with license management, image management, IP address management. as well as service assurance and analytics platforms. NCX also can integrate with other VNF managers, such as VMware vCenter or Open Stack as well. On the North bound NCX has a comprehensive REST API. It integrates with OSS, BSS as well as Open Stack. NCX has YANG models for various different services that I just described.
• #8: A part from provisioning the services initially, NCX is constantly monitoring the infrastructure. If someone goes and manually changes the CLI, NCX is going to reconciliate and undo any changes. Or if it's a really required change, NCX will take up that policy into its database. So going forward it will be part of the master database. NCX also helps with auditing, as well as any workflows that enterprises and service providers have.
• #9: This is a detailed slide on YANG. As I said, this is critical to our success in POC. As you see here, we have de-coupled the service layer from the device layer. All the business logic, the service intent is explained in YANG. It can be easily customized or extended by the partners as well as customers. The business logic is typically written in python or Java. So you can re-use that across different customer deployments. At the bottom we have the device adapters. If the device automatically supports NETCONF, then the integration is quite smooth. But if it doesn't have YANG or NETCONF, we still have developed the concrete mappings that map the business intent to the actual CLI or NETCONF or API. So as you can see, it supports both existing infrastructure as well as upcoming infrastructure. As well as it supports CLI, NETCONF, YANG or API.
• #10: So let's focus on the POC itself. It is a Tier-1 Service Provider and they looked at NFV as an opportunity to reduce operating expenses as well as introduce business agility. And they are specifically looking at virtual data centre as their first POC.
• #11: And they insisted on multi-vendor functionality. They want the flexibility to rip and replace or switch one vendor with another vendor. And of course multi-tenancy is very important to them, because it's a managed services solution. And the entire solution has to be able to support multi-tenancy infrastructure: whether its the firewalls or load balancers. As well as the NCX software itself has to cater to multiple tenants. And the remaining requirements such as extensibility, scalablility and integration with OSS, BSS that you usually find in every POC.
• #12: When we started working on it, as you go through the details, the biggest challenge is the integration aspect. There are so many different vendors, each with their own API's, each with their own workflows. And we were able to integrate five different vendors to the deliver this NFV. And of course, there is performance and scalability, it is still working progress. But that's another important factor. Finally, it's not just about deploying the service one time, you have to think about the operational challenges too. How can I keep on adding services, updating the services, because, the end customer is expecting something similar to AWS. So the service provider is competing with very large scale public cloud providers and self-service and operational agility is very important to them.
• #13: So what is the solution? As you can see we partnered with HPE, and this is the famous NFV MANO Architecture. Anuta Networks provided the Orchestrator as well as the VNF manager, and HPE provided the NFVI. They provided the virtual routers, the Helion OpenStack version, and they also provided the SDN controller. It's called HPE DCN which is a OEM of the Nuage VSP. And finally logicalis has done the system integration. They integrated F5 LTM, Check Point Firewalls and Fortinet Virtual Firewall. So it's a combination of multiple vendors and multiple partners coming together to deploy a NFV use case which is virtual data center. So as you can see, the extensibility becomes critical to the success of this project. 
• #14: You need a platform that can support multiple vendors, multiple use cases, and it has to be done rapidly. So how does all these solutions fit together? I'll walk you through one workflow, for example. As you see the service provider already has a unified orchestrator that does compute, storage and network is done by anuta’s NCX. Anuta NCX provides orchestration, and VNF life cycle management, and it works with the NFVI. The NFVI can be multi vendor too, OpenStack as well as VMware vCenter that's running all the virtual machines.  The virtual appliances like HPE VRS, the virtual switch as well as the SDN controller which is from Nuage. And, wherever required, our NCX communicates with element management, such as the F5 BIG-IQ platform, Fortinet manager as well as check point API.
• #15: So let's look into detail as well. So this is a bit complex flow, all these slides are on the web, so you can download them as well. But the main point is that first user communicates with NCX. He wants to on board a tenant, he wants a network provisioned for that tenant, so what NCX does is that it will first communicate with the SDN controller, the Nuage SDN here. It sets up the tenants, sets up all the L2, L3 network for that SDN controller. Once that setup is done, it's now communicating with the OpenStack, the Helion OpenStack. Helion OpenStack will communicate with the element managers, and it would spin up the actual VNFs – Whether its the virtual switch or the virtual router, or virtual firewall or virtual load balancers. And finally NCX communicates to the EMS, the element manager, to configure day to day policies.
• #16: So once this setup is up and running, that's when you use NCX GUI. NCX, now that it abstracted all the physical and virtual layers, it provides you a simple drag and drop GUI. You can say, I want a three tier architecture and there is a layer 3 termination point with three different segments. And I need a perimeter firewall and the SDN controller is giving me all the L2-L3 Fabric. Like that, you can drag and drop and say, this is how my network service should look like. And you can customize it further, you can say, that firewall, because he is paying a lot of money, there should be a physical firewall. Or if you say, I want this service to have high availability. You can customize that. So you can also customize the packet path too, and all of this will be done using YANG modeling. Customers and partners can extend this YANG model to match the kind of service path that they want to enable. So we have done this kind of work with logicalis support for this customer. And within three weeks they were able to stand up this whole infrastructure. And once it is deployed, you introduce self-service. So you can say, now I would like to add another VIP, another real server, I want to change the firewall rules, I want to create NAT rules. I want to add zones, all those things can be done from the NCX GUI. The customer doesn't need to know the check point API or the Fortinet firewall UI. They just configure everything on the NCX GUI and the NCX will do the translation to the underlying infrastructure. Now as part of this service, if they say, no I need this to be a virtual firewall. NCX will automatically spin up that virtual firewall, it will communicate with OpenStack and say now let spin up that virtual firewall and start provisioning services after that.
• #17: So what are the results, as I said, this is a POC, so it's all about proving that all these integration points work as per the customer deployment. And as I said, YANG is the main reason behind our success in this POC. And we think going forward this level of separation from service and the device is going to be the reason to succeed in NFV world. And as I said, we have out of the box support for 35 different vendors, and that helped us a lot. And it helped with initial deployment as well as ongoing support, as well. Because we have all the technology partnerships with these leading industry vendors. Because when you are trying to deploy, you obviously run into issues, API problems, incompatibilities, all of those things. So that's why a good community model where you are partnering with all these leading vendors, really helps when you are under a POC time frame. And currently we are working to verify the scale across these multiple vendor deployments. The go live or production for this project is expected to be January of next year.
• #18: So what are the key lessons? We see more and more orchestrator is becoming critical, because customers, they want to have choice. They want to have multi-vendor deployments, and they want extensibility so that they can customize it to their own deployment. And finally they are moving beyond the initial provisioning. They want to be able to accelerate their operational issues, using KPI based metrics. So this is something key to going forward. The customer is looking at, okay, how can I look at the current operational statistics, and then bring that back into the orchestrator, and then provision the services accordingly. For example, one of the use case that came up was, I know this sort of threat is happening in my system, but I can't have a real time telemetry information. But I can explain that threat in this context. I can say, first I see this event happening. Then I see these three events happening in rapid succession, and then this fourth event happened. So once you can describe this workflow, however complex it may be, you can bring all that business logic back into NCX and you can define a YANG model for it. And obviously you can have the corrective actions such as adding ACL or shutting down the port, or redirecting traffic or spinning up new virtual firewalls, all of those things can be incorporated into the YANG Model. So that's where we are taking this platform next. Apart from the initial provisioning, how do you simplify the operational day-to-day concerns for them as well? And finally, many thanks to Intel, they gave us the platform to support us as well as introduce us to all the partners. They gave us legitimacy when we were very early. So thank you to intel builder's program. There are a lot of supporting material, we recently did a podcast with packet pushers also, so please check that out. Thank you.