Brocade Software Networking Openness. Agility. Economics. © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION Curt Beckmann EMEA Chief Technology Architect Open Datapath WG Chair, ONF
Agenda Industry Trends Quick SDN / NFV Overview Introduction of Brocade SDN / NFV Portfolio Brocade Flow Optimizer REN Use Cases © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 2
Agenda Industry Trends Quick SDN / NFV Overview Introduction of Brocade SDN / NFV Portfolio Brocade Flow Optimizer REN Use Cases © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 3
An Industry in Transition © 2014 BROCADE COMMUNICATIONS SYSTEMS, INC B Mobile devices 7B Mobile devices 2B Interne t Users 1B Web sites 1B Web sites 1975 Mainframes, PCs SNA Arch, Private Lines 1 st Platform Client-Server LAN/WAN,Internet & IP Networks 2 nd Platform IT Relevance Gap Expectations Delivery 3 rd Platform Cloud Mobile Social Data Analytics “Digital business” <100M Mobile devices 16M Internet Users 2700 Websites
What the 3 rd Platform Looks Like © 2014 BROCADE COMMUNICATIONS SYSTEMS, INC 5 7B Mobile devices 7B Mobile devices 2B Interne t Users 1B Web sites 1B Web sites IT Relevance Gap Expectations Delivery New IP Storage Overlay Underlay Edge SDN NFV Orch Fabrics Compute Networking 3 rd Platform Cloud Mobile Social Data Analytics “Digital business” From To Closed Proprietary HW Proprietary OS Proprietary Apps Reactive Isolated elements Manual High cost Slow innovation Open Commodity HW Open Source OS Interoperable Apps Proactive Integrated system Automated Low cost Rapid innovation
New IP—Transformation of the Network A Customer Driven Disruption © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 6 The New Vision Open with a purpose Innovation at software speeds Ecosystem-compatible solutions Your pace, your path How You See It Today Open source, interoperable protocols Agility, Training, Partnering, Services Legacy + NG Features, Open Interfaces Solutions with interoperable components
Agenda Industry Trends Quick SDN / NFV Overview Introduction of Brocade SDN / NFV Portfolio Brocade Flow Optimizer REN Use Cases © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 7
Software Defined Networking (SDN) A Programmable Network—Design, Build, Manage © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 8 Data Plane Control Plane Basic Network Services: Topology Mgr, Switch Mgr, Host Tracker, Stats Mgr Advantages Network automation can integrate with other disciplines Less lock-in; Users can choose features to suit their needs Networking control can innovate at software speeds REST APIs Network protocols like OpenFlow Applications and Orchestration Frameworks Key Features Network algorithms decoupled from Hardware
Network Functions Virtualization (NFV) © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 9 Hardware Software Router VPN Firewall Advantages Remove hardware lock-in Simplify resource planning Enable fast service innovation Soft upgrades Meet SLAs Reduce CAPEX/OPEX Main Features Complex networking functions in software on commodity servers Simpler networking functions in commodity networking devices
Agenda Industry Trends Quick SDN / NFV Overview Introduction of Brocade SDN / NFV Portfolio Brocade Flow Optimizer REN Use Cases © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 10
Brocade Software Networking Agile, Open, Economics © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 11 Branch Cloud IPsec Brocade vRouter Web Client Brocade SDN Controller Brocade vADC Web Server 1 Web Server 2 Web Server 3 Data Center Virtualized Core for Mobile
12 Brocade SDN Apps Brocade Flow ManagerBrocade Flow OptimizerBrocade Visibility Manager It delivers:Backbone Circuit Provisioning Provides Network sensor based services without disruption Manages Brocade Packet Broker Use Cases:Software Defined Backbone A)Threat Mitigation B)Large Flow Monitoring and Optimization A)Traffic aggregation, replication and load-balancing to tools B)Advance/Expert Interface with 3 rd -party integration Target NetworksProduction Backbone -Enterprise -REN -Colo DC Production Network: - Campus - DC Core/Border - ISP Peering Router - REN HPC Visibility Network: -Large Enterprise -REN -DC © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
13 Brocade OpenFlow-capable Hardware Families The MLXe Router and ICX Campus product lines © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. ICX 7450 SwitchICX 7250 SwitchICX 6610 Switch ICX 6450 SwitchICX 7750 SwitchMLXe Series Routers
Agenda Industry Trends Quick SDN / NFV Overview Introduction of Brocade SDN / NFV Portfolio Brocade Flow Optimizer REN Use Cases © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 14
15 L2 / L3 Firewall Bypass Science-DMZ Use Case HPC: High Performance Computing DTN: Data Transfer Nodes Brocade SDN Controller Open Daylight Brocade Flow Optimizer WAN/ Internet 1 HPC/DTN Network Incoming flow from upstream network Firewall 2 Sent to Firewall for processing 3 4 Brocade Flow Optimizer recognizes this as a trusted flow and programs Brocade MLXe using the controller to bypass the firewall for this flow 6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more efficient Brocade MLXe Router L3 MLXe: VRF (1 & 6) and OF, or PBR (2) for one arm FW traffic and OF (1 & 6) BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW) 5 © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
16 Priority Data Superhighway Campus Slowpath-Bypass Use Case Brocade SDN Controller Open Daylight Brocade Flow Optimizer 1 Incoming flow from High Performance Workstation/server 2 Routed using normal routed/switched path 3 4 Brocade Flow Optimizer recognizes this as a trusted flow and that it is either a “large flow” or “priority application”. Programs Brocade ICX/MLXe using the controller to re-direct the traffic to priority path for this flow 6 ”White-listed” flow now placed on priority path and data transfer is faster and more efficient Brocade ICX or MLXe L2 or L3 redirect action Need to ensure flow in both directions is redirected via policy 5 © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller Open Daylight Brocade Flow Optimizer 17 Summary of Additional REN Use Cases Internet Brocade MLXe REST API © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC L7 / Botnet Attack Mitigation L2-L4 Volumetric Attack Mitigation BGP Remote Triggered Black Hole (RTBH) Mitigation DC Flow Management for Policy-based Security
Thank you © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 18
Backup © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 19
Brocade SDN Controller Open Daylight Brocade Flow Optimizer 20 L7 and Botnet Attack Mitigation Incoming Attack Flow Internet Brocade MLXe 1 Brocade Flow Optimizer initiates mirror action IDS detects L7 attack (Example; SYN Flood). API to BFO to discard flow. MLXe mirrors flows to IDS. OF “mirror+normal” action. OF discard action. 5 6 Adds ability for advanced DDoS detection, up to L7 Based upon the IDS (Palo Alto, Arbor etc.) detection capability API from IDS to BFO initiates additional discard actions REST API © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller Open Daylight Brocade Flow Optimizer 21 L2-L4 Volumetric Attack Mitigation Incoming Attack Flow Local Mitigation: Discard Flow (Redirect Optional) Internet Brocade MLXe 1 2 Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack Recommended when incoming aggregate attack traffic is 50% or less L2 – L4 local mitigation, based on sFlow sampling and DDoS policy OF discard action (Automated, Manual) 1/10GbE, 40GbE and 100GbE support © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Brocade SDN Controller Open Daylight Brocade Flow Optimizer 22 BGP Remote Triggered Black-Hole (RTBH) Mitigation Incoming Attack Flow Mitigation: Discard Flow Internet Brocade MLXe (Triggering Device) Brocade MLXe 1 2 Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack Flow Optimizer initiates CLI static route to MLXe. MLXe advertises BGP Route (ex: /32, /28, /24, /23) 7 8 Upstream BGP router: A)Discards flow to null0, or B)Re-directs traffic to cleaning site L2 – L4 local mitigation does not protect upstream link If upstream link is congested above 50% by DDoS, add ability for RTBH to uncongest RTBH is a well known Internet operation Automated RTBH reduces mitigation time from 15 minutes or hours -> under 1 minute © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
23 L2 Firewall Bypass Science-DMZ Use Case HPC: High Performance Computing DTN: Data Transfer Nodes Brocade SDN Controller Open Daylight Brocade Flow Optimizer WAN/ Internet 1 HPC/DTN Network Incoming flow from upstream network Firewall 2 Sent to Firewall for processing 3 4 Brocade Flow Optimizer recognizes this as a trusted flow and programs Brocade MLXe using the controller to bypass the firewall for this flow 6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more efficient Brocade MLXe Router L2 MLXe BFO 1.2 can ignore, push, pop or modify VLAN ID BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW) 5 © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
24 L3 Firewall Bypass Science-DMZ Use Case HPC: High Performance Computing DTN: Data Transfer Nodes Brocade SDN Controller Open Daylight Brocade Flow Optimizer WAN/ Internet 1 HPC/DTN Network Incoming flow from upstream network Firewall 2 Sent to Firewall for processing 3 4 Brocade Flow Optimizer recognizes this as a trusted flow and programs Brocade MLXe using the controller to bypass the firewall for this flow 6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more efficient Brocade MLXe Router L3 MLXe: VRF (1 & 6) and OF, or PBR (2) for one arm FW traffic and OF (1 & 6) BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW) 5 © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Enterprise DC Flow Management for Policy-Based Security Operator driven or sFlow threshold driven policy enforcement for large trusted flows Enterprise Datacenter 1 One-armed Firewall Trusted Traffic Flow WAN Inline Firewall Enterprise Datacenter 2 Default Traffic Flow Brocade SDN Controller Brocade Flow Optimizer Internet