1.网络业务发展趋势
2.传统网络碰到的问题
3.SDN如何来解决问题
4.SDN使用的网络
5.SDN案例
The development trend of network services
appear every new technology because of existing business needs change, so learning a new technology, the first business to understand what changes occur, empathy, SDN appears, do not go beyond in this way.
Competitive pressures of globalization are forcing companies and organizations to continue to use technology created to enhance their competitiveness, these technologies include, but are not limited to, server virtualization, storage virtualization, cloud computing, and supporting some of the tools and business process automation tools, by using these tools to accelerate product launch times and improve service quality, thereby expanding their competitive advantage, this process, IT technology continues to evolve, change, to meet this demand.
This evolution of IT technology and forwarded either from cloud service providers, telecommunications operators or enterprise networks look significantly taking place in. For example, the data center multi-tenant environment to create, from the application point of view very well, very strong, but it is undeniable that long to bear weight of traditional network architecture brought heavy pressure on traditional network architecture is very difficult to adapt to this new demand, analysis of some significant trends affecting the data center / enterprise networks:
merge 1, the data center. More and more companies will have their own network moved to the public cloud provider, you can think more and more small and medium data centers are merged into a large data center, for large data center only, means more equipment, more and more complex wiring network traffic.
2, server virtualization; in order to reduce costs and maximize resources and reduce downtime events, more and more of the data center deployed server virtualization, a large number of virtual servers and for accessing their virtual networks are widely integrated into the in the physical frame base.
3, a new application framework, many organizations deploy a large number of service-based and web-based applications that promote data center to create a large number of server-to-server communication connection between, and requires to be isolated from each other between different applications, from traditional data center the conversion is based on data submitted forwarding mode to mode-based services, making data centers tend to become more dynamic, complex, traditional network architecture is no longer appropriate.
4, cloud computing applications, requires companies to be more agile and effective use technology to respond quickly to the needs of cloud computing business, also put forward new demands on the network infrastructure
5, BYOD, bring your own device , to existing enterprise wireless network traffic, security, management has brought pressure.
Summary: The
development of network services requires administrators to manage increasingly complex networks and devices, deploying a variety of complex applications, as well as deal with growing data traffic, how to easily deploy and manage these applications, devices, networks, reduce operational errors and hours of operation, reducing the probability of network failure and recovery time, it becomes particularly important. Above trend occurs mainly in data centers, large internal enterprise network operators, in particular the data center. So the data center is *** inspired the rise of SDN. ***
Traditional network problems encountered in
conventional networks are a one device to manage, and administrators are not visible to a lot of things happen in the network, because the devices from different manufacturers, it is difficult to have a unified management platform. If you have a new business needs, requirements on the part of the device changes to the network, but the device is a black box for administrators, not only the device itself, in terms of network, the forwarding path is calculated by dynamic protocol, it is difficult well aware of the message that business which path to go, so I do not know where congestion occurs, and whether there are better routes, and if there is, it is difficult to switch to this business on a better path, because path is not specified by the administrator, but the agreement calculated. As a result, the deployment of the network topology based automation is even more impossible.
The following is an administrator common problem:
these issues the direct result is that network to deploy a new business, they usually lasted for a long time, so enterprises to deploy new services, often have a thing to do is to upgrade the network. All in all, the traditional network architecture in the new situation, has reached the limits of capacity.
How SDN problem solving
core SDN solution to the problem:
the process of changing the traditional network data stream in a controlled manner, in the traditional network, the header forwarded from the source to the destination, the packet forwarding behavior is by-hop independently, independent conduct configuration, has its own specific processing capacity and configuration, this control is completely distributed.
The control plane and SDN is peeled off from the inside of the apparatus per day out of the device, into a unified external server to centrally manage all the devices on the forwarding path from the server through a unified command, the centralized controller knows all the necessary information, Moreover, this controller can provide an open API is programmed to control the upper application, so that you can eliminate a lot of manual configuration process, add administrators a holistic view of the whole network, improve the efficiency of service deployment.
For example, in network virtualization, when you want to add a new tenant or add a new virtual machine is a combination of computing through metadata management platform, such as OpenStack or cloudstack, as long as the property administrator to fill the tenant or virtual machine good , cloud computing management platform will automatically calculate all the required resources and configuration, to relate to network resources section, by calling the controller's API, automatically configured internally to the switch node to be configured without the SDN, then cloud computing management platform capability and need to find ways to configure each device, should provide different types of programming interfaces for different types of equipment, such equipment requires special treatment in a special way, to a unified platform is fatal and can not be extended.
The introduction of SDN, it can also prevent vendor lock-in, such as business requirements modify the equipment, which do not belong to a managed device manufacturers, as long as it supports SDN, can be programmed, it can be changed directly to the interface device inside through the open south forwarding behavior. This is also a lot of companies such as Google, Facebook wants to introduce one of the engines of SDN. Vendor lock-in problem exists in the data center / network operators, not only brings the cost issue, more important is the network transformation and innovation capacity is limited, and sometimes even have to look for manufacturer's technical staff to help. Once you have SDN, administrators need to learn the knowledge can be greatly reduced because of heterogeneous devices, dynamic protocol and proprietary protocols can be greatly reduced.
SDN applicable network
SDN originated in the campus network, carried forward in data center / enterprise network, so it must adapt to these networks, in particular the use of virtual networks.
The same also applies in the operator's network, because the same problem exists in the operator's network, the domestic carriers have been unified network management platform, but also to reduce operation and maintenance costs. Each network management equipment manufacturers do not have, which leads operators to manage their network when the need to switch between different network management platform, there is a drawback is that if you want to add a new supplier of equipment inside the network it is bound to introduce a new management platform, so now the operator of vendor lock-in is a serious problem, and this is one of NFV operators established organizations going to solve the problem.
Wireless network, whether it is business or your own wireless network operators to build a municipal wireless network itself is a central control architecture, multiple AP by the centralized control of AC, ideal for SDN.
Security zones, because the forwarding behavior of the security device is policy-based, usually static control, and the whole network coordination, network security the most annoying things dynamic, dynamic uncontrollable, so the security field is very suitable for SDN applications.
Summary:
The more complex the network is difficult to operate, using the SDN network architecture needs to change to be more intense. However, the complexity of the network, affecting the network and the difficulty of reform is large. In the real world, be the first to deploy SDN, either the new network, the problem is either an existing network it is intolerable to the bottom, such as virtualized data center.
SDN Case
Case I: use case of a conventional switch
shown in the picture, the customer's network to connect multiple nodes from one node to another node to go through another operator's network, operators before passing in need Layer 2 header plus a message through which operators assigned to them a svlan, so this action to be completed on the source switch. The source switch, must be marked according to the MAC address svlan different packets.
All the SW1 via the network 1 transmits SW2 packets, play on svlan1, all via the network 2 to packet SW3, and play on slvan2 from SW1, and add slvan time can not be based on a port, as from the same port packets may be to a different site, which means that the SW1, must (this network is a large Layer 2 network) to add svlan based on MAC addresses, we know that the traditional two-three switches, generally based on the source port or source MAC address. source IP vlan to add, according to the vlan added that so many switches support, IEEE according to the vlan Classification defined by the inside, but to add to the vlan, do not support many of the switch according to the destination MAC address.
Use the switch case is no exception, even if the chip supports do so for users to develop this feature is time-consuming, and if using a large manufacturer of switches, it is impossible to allow modifications. If using OpenFlow switch later to do, very easy.
Such as OpenFlow V330, did not consider any vlan classification function defined by the IEEE, it can be said without considering any specific network functions, but it is supported, because by definition the OpenFlow switch depending on the purpose or source Mac Mac or any other field to match, you can do once a match to play vlan action.
This is a typical traditional switches can be used to prove the lack of flexibility, and SDN switch can be flexible to meet the needs of different customer cases through software programming.
Case Two: OpenFlow switch case
the customer is a data center service provider, they have multiple data centers interconnected through internal lines together, there is a total Internet entrance, using OpenFlow switches complement existing distribution network to prevent DDOS denial of service attack on a router at the entrance of the entire data center router and each sub-data are linked to the central inlet of a bypass apparatus as OpenFlow switch, when the intrusion detection server analyzes (data entry router netflow the center portion to the packets detection server for testing) after detection of the DDOS attack is a certain flow stream, it will go through the BGP protocol router controller, it put all the messages sent to the victims of the device are forwarded to the OpenFlow switch, at the same time to configure OpenFlow switch, the OpenFlow switch on all packets sent over to match the source IP + Destination IP and even a four-port number, the attack packets lost, non-attack packets get rid of the destination IP address, and then returned to the router (get rid of the IP router then this is to prevent A packet sent back, forming a loop), when the router forwards the packet to make the object when the network border router, the border routers to specially modified destination IP packets to the OpenFlow switch, the switch OpenFlow the purpose of IP packets and then sent back to the border again to restore its directly connected router, edge router then delivers the packets to the final destination.
Not previously introduced SDN, your anti-DDOS attack scenario is kind of how?
Solution: traditional data center to prevent DDOS attacks embodiment is this: a data center on the access device, by some netflow statistics and feature data stream to a remote server for analysis, some of the server detected by analyzing packets DDOS attacks belong to the text message, then the message feature tells the data center entry device, the device through BGP packets sent to all the victims of the device are mapped to a black hole routing, cause these packets are lost, by in this way mitigate the impact caused by the attack. There is a problem, this time attack, all sent to the attacked device packets will be lost, whether it is legal or not, resulting in the device is unreachable for some time, this is a purely IP-based purpose Program. The current practice does not simply discard all packets, but data sent to a post-cleaning equipment (OpenFlow Switch), this device will be stream data cleansing, illegal packets lost, the legal packets sent back, this program is based on + ip ip source object program.
You can not find a common switch ACL to achieve it? Why must OpenFlow switch?
Solution: Use the ACL is not only inefficient and manual operation, will lead to error. In a large network, there are a number of manufacturers of equipment, they command line is different, there is a problem, use the ACL, then the data is cleansed and then returned BGP router when there is no change because the purpose of IP, BGP router We will send it back to cleaning equipment, behavior loop bgp router - cleaner - bgp router ...... of course use the IP tunnel / GREtunnel / MPLS tunnel loop to avoid this problem, but either way has its problems .
All of these methods are not as clear and simple way to use OpenFlow, of course, the key issue there is that OpenFlow switch must be able to rewrite the destination IP address, traditional switches do not have this capability.
Already have a mature program to prevent DDOS attacks, why use SDN way?
Solution: There are existing ways their problems, there are some commercial applications, such as arbor network's peakflow, but very expensive, the use of SDN this scheme the biggest bright spot is that there is a common programming interface, intrusion detection application detects attack, only need to notify the controller to configure the interface via OpenFlow switch, issued the static on it, very easy to program and control, fully automated and does not require any changes to existing network equipment, which is very important, because our network relatively large differences in the ability of each router.
This is a typical case, which you can see several benefits of SDN:
1, centralized control, intrusion detection server after checking to attack by controller unified control of all routers and data cleaning equipment (OpenFlow switch)
2, flexible definition hardware forwarding behavior, according to the source and destination instead of just filtering purposes, can be rewritten as needed destination IP
3, versatility, without changing the existing network architecture can deploy new services, and can prevent (as long as we all support OpenFlow provisions of vendor lock-in functions)
4, automation, can be automated deployment and the service application layer software through
5, a low cost, since no special equipment, the manufacturer does not rely on specific, general equipment may be used, the cost is low.
Above are taken from Zhang Weifeng "SDN depth analysis", sense of self, this book is suitable for those who want to know the students engaged in online learning network of SDN and does not require multi-depth theoretical support, this book is easy to understand, it is easy to let more people understand SDN.
