Presentation is loading. Please wait.

Presentation is loading. Please wait.

@projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed 19 th January 2016.

Published byConstance Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "@projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed 19 th January 2016."— Presentation transcript:

1 @projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed Harrison @eepyaich 19 th January 2016

2 @projectcalico The Goal: Hyperscale Efficiency Metaswitch Networks | Proprietary and confidential | © 2014 | 2 The Goal: Hyperscale Efficiency The Goal: Hyperscale Efficiency

3 @projectcalico Metaswitch Networks | Proprietary and confidential | © 2014 | 3

4 @projectcalico Virtual Networking Today (VM’s / Containers) Port forwarding / NAT  Simple  Works “out of the box”  Easily understood  … but not “real IP networking”  Won’t work with all applications (e.g. IPsec)  Onerous port assignment constraints on applications  Requires app developers to be aware of constraints  Widely accepted as unsuitable for at-scale deployments Overlay networks  Connect each container to a virtual Layer 2 segment  Separate “overlay” domain over “underlay” network with GRE, MPLS, VXLAN, or proprietary tunneling protocols  But…  Lots of state – 1,000 machines => full mesh of 499,500 tunnels!  Breaking out of virtual network sandboxes requires NAT / router  L2 typically not required today  Requires app developers to be networking experts IP1:80 IP1:8080

5 @projectcalico They shoulda listened to Einstein… “We tried supporting a bunch of the commercial software-defined networks... The theory was, 'is it just the open vSwitch in Neutron is crap?' – [but] even the commercial ones aren't where they need to be.” – Joshua McKenty, CTO, Piston Cloud

6 @projectcalico A Glimpse at Overlay Networking Complexity

7 @projectcalico

8 An open source project to enable scalable, simple and secure IP networking in a data center / cloud environment What is Calico? SimpleScalableSecure Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Rich micro-service policy framework

9 @projectcalico What if we built a data center like the internet? IP App IP App IP App IP App IP App IP App IP App IP App Router BGP Hosts

10 @projectcalico What if we built a data center like the internet? IP App IP App IP App IP App IP App IP App IP App IP App BGP Compute Node VMs / LXCs Router VMs / LXCs … this is Project Calico!

11 @projectcalico Coarse-grained Policy (network/tenant isolation) Traditional approach: VLANs or mesh of tunnels (separation as by-product) Calico: Just a set of simple policy rules – all workloads in a given “network” just share a tag; all with the same tag are whitelisted, others blacklisted

12 @projectcalico Fine-grained Policy (micro-service segmentation) Traditional approach: Discrete firewall elements that are a bottleneck and not optimally placed to enforce security (by the time the packet reaches the firewall, it can’t be sure where it came from) Calico: Rich, but simply defined, policy rules Distributed host-based ACL calculation Ingress/egress enforcement in the data-plane pipeline immediately adjacent to each workload

13 @projectcalico The Distributed Firewall Network Fabric Network Fabric eth0 2001:db8:1234::1:2 Routing eth0 2001:db8:1234::1:3 eth0 2001:db8:1234::1:4 eth0 2001:db8:1234::1:7 eth0 2001:db8:1234::1:6 eth0 2001:db8:1234::1:5 2001:db8:5678::1 2001:db8:5678::2

14 @projectcalico Project Calico architecture eth0 2001:db8:1234::1:2 eth0 2001:db8:1234::1:4 eth0 2001:db8:1234::1:7 Felix Routes iptables Route Reflector Kernel BIRD

15 @projectcalico Calico Network Policy Model Workload … Endpoint … Profile … Tag Rules Workload Endpoint Profile container, VM, bare metal (virtual) network interface reusable policy

16 @projectcalico Life Before and after Calico Before CalicoAfter Calico Scale challenges above few hundred servers / thousands of workloads Scale to millions of workloads with minimal CPU and network overhead Troubleshooting connectivity issues can take hours What is happening is “obvious” – traceroute, ping, etc., work as expected EXIT On/off ramps + NAT to break out of overlay Path from workload to non-virtual device or public internet (or even between data centers) is just a route High availability / load balancing across links requires LB function (virtual or physical) and/or app-specific logic Equal Cost Multi-Path (ECMP) & Anycast just work, enabling scalable resilience and full utilization of physical links CCCC NANA CCNA or equivalent required to understand end-to-end networking, deploy applications Basic IP networking knowledge only required

17 @projectcalico Get Involved  Main project website: www.projectcalico.org www.projectcalico.org  Github  github.com/projectcalico  Mailing list, Slack info:  projectcalico.org/contact/  freenode IRC: #calico  Download & try it out  We welcome your feedback and contributions  Follow us @projectcalico

Download ppt "@projectcalico Sponsored by Simple, Secure, Scalable networking for the virtualized datacentre UKNOF 33 Ed 19 th January 2016."

Similar presentations

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
Software Defined Networking in Apache CloudStack

Software Defined Networking in Apache CloudStack
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Connect communicate collaborate GN3plus What the network should do for clouds? Christos Argyropoulos National Technical University of Athens (NTUA) Institute.

Connect communicate collaborate GN3plus What the network should do for clouds? Christos Argyropoulos National Technical University of Athens (NTUA) Institute.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle’s Next-Generation SDN Platform Andrew Thomas Architect Corporate Architecture.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle’s Next-Generation SDN Platform Andrew Thomas Architect Corporate Architecture.
CloudStack Scalability Testing, Development, Results, and Futures Anthony Xu Apache CloudStack contributor.

CloudStack Scalability Testing, Development, Results, and Futures Anthony Xu Apache CloudStack contributor.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –
Brocade VDX 6746 switch module for Hitachi Cb500

Brocade VDX 6746 switch module for Hitachi Cb500
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Application Centric Infrastructure

Application Centric Infrastructure
Network Overlay Framework Draft-lasserre-nvo3-framework-01.

Network Overlay Framework Draft-lasserre-nvo3-framework-01.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Semester 4 - Chapter 3 – WAN Design Routers within WANs are connection points of a network. Routers determine the most appropriate route or path through.

Semester 4 - Chapter 3 – WAN Design Routers within WANs are connection points of a network. Routers determine the most appropriate route or path through.

Similar presentations

Ads by Google