Nuage Network’s goal from the very beginning has been to automate networking and connect users to their applications with no restrictions by providing an open SDN software platform, the Virtualized Services Platform (VSP). Users of VSP have come to love the automation, openness, advanced networking capabilities, rich security policies, and multi-cloud capabilities that it offers. Today we have customers that include Telcos, public cloud providers, service providers and enterprises who are using the power of policy based SDN to deliver services and applications to their users across the globe.
We recently announced the availability of Nuage VSP Release 6.0.4, and in this blog, we want to take the opportunity to talk about the major new product capabilities that R6.0 (6.0.1-6.0.4) has introduced.
What are the product enhancements our customers were looking for?
Although our customers have enjoyed many of the previously mentioned benefits of our SDN offering they needed to evolve and requested the following enhancements:
- A high performance and scalable accelerated data plane. Especially in light of the emerging 5G and IoT use cases data plane performance needed to be increased.
- An extension to VSP’s scope of management control to also include the Data Center Gateway (DC-GW) so that both the data center (DC) and WAN overlay networks can be seamlessly connected.
- The ability to deploy multiple clouds that could be running different versions of VSP software all the while being managed from a central DC.
- The ability to deploy a single-stack IPv6 due to the operational complexities involved with maintaining a dual stack IPv4/IPv6 network
- Our enterprise customers wanted to see functional improvements for their distributed security use cases, richer dashboards and the ability to quickly detect and respond to threats and troubleshoot issues.
- Integration with cloud workload orchestration platforms to enhance the ability to onboard their applications more quickly
- All our customers also want operational tools to monitor their environment and the ability to troubleshoot issues quickly.
What have we worked to achieve?
In R6.0, we have met these requirements. First, we have introduced higher flow scale and aggregated flows for our accelerated virtual routing and switching (AVRS), our DPDK-based virtual switch. We have also enhanced the NETCONF based integration for the Nokia SR 7750 DC-GW allowing us to extend our management of this device. In R6.0, we enabled a centralized VSD to manage different Nuage software versions installed in different cloud deployments.
Operators want to transition completely to IPv6 and prefer a Single Stack IPv6 deployment model due to the operational complexities involved with maintaining a dual stack IPv4/IPv6 network. To meet this requirement, we have added the capability of having single stack IPv6 subnets on VCS domains. This expands the previously available dual-stack domains and subnets and now, on a per subnet basis, customers can have IPv4, dual-stack or IPv6 address families in use.
Our enterprise customers wanted to see functional improvements for their distributed security use cases, richer dashboards and being able to quickly detect and respond to threats and troubleshoot issues. For our enterprise customer requirements, R6.0 adds new threat detection capabilities that can be used to detect security events like port scans and port sweeps. We have added automated policy responses that can be used to block malicious traffic to cloud workloads. The Flow Filter has a new interface to filter flows based on flexible criteria. Flow Explorer GUI now supports the ability for the administrator to fetch details on the ACL entry and virtual firewall rule entry matching the selected flow record.
To enhance our customer’s ability to onboard applications more quickly, we have introduced support for OpenStack Queens for Red Hat OSP13 while support for Nokia CBIS 19 will be released shortly. Similarly, we have added support for Kubernetes 1.14.
All of our customers also wanted more operational tools to monitor their environment enhancing their ability to troubleshoot issues quickly. to meet these requirements, we have added advanced traffic mirroring capabilities for troubleshooting and visibility use cases. In addition, we have exposed the hardware queues on the 210 WBX so that customers can monitor the control plane traffic. The 210 WBX platform health information is now available via new MIBs.
Specific feature details across R6.0.1 to R6.0.4:
VCS (Virtualized Cloud Services)
SR 7750 NETCONF enhancements
Enhancements to the Nokia SR 7750 NETCONF solution adds the capability of aggregating regular domains into an aggregator domain, with the capability of GRT leaking, and also adds the support of IPv6 L3 Domains.
Mixed-VSP With Multi-VIM
Mixed VSP deployments are supported for the following releases: 5.3.2 & 6.0.3. This is supported for the deployment with a centralized VSD managing multiple PODs where each POD has one CBIS OpenStack instance and a VSC cluster, and VRS/AVRS on each compute node.
This feature allows:
- upgrades (from 5.3.2Ux to 6.0.3) to be completed over a longer period of time (over many months)
- mixed-VSP deployment to be the normal mode of operation without requiring an upgrade of all the PODs.
IPv6 Single Stack on VRS & WBX
The capability of having single stack IPv6 subnets on VCS domains. This expands the previously available dual-stack domains and subnets and now, on a per subnet basis, you can have IPv4, dual-stack or IPv6 address families in use. From 6.0.3 onwards, subnets can be converted from IPv4 to dual-stack and from dual-stack to IPv6 and vice-versa. Furthermore, the IPv6 topology can be disjoint from any IPv4 topology, since the selection of address families is at the subnet-level, meaning a single L3 domain can contain a mix of IPv4, dual-stack and IPv6-only subnets.
IPv6 ACLs and policies are fully supported except for the use of IPv6 redirection-targets. ACLs have been brought closer to feature parity between IPv6 and IPv4, including ICMPv6 stateful support for RA/RS / NA/NS and Ping.]
NETCONF Manager exclusive locks
7750 SR OS NETCONF complies with RFC 6241 by supporting a shared candidate and an exclusive candidate configuration. Private candidate support is not in the NETCONF specs and the common NETCONF clients/controllers prefer to use the <lock>/<unlock> RPCs for a whole candidate lock.
Starting in release 6.0.4, Netconf Manager is configurable to use exclusive locks and to configure specific retry timers in case the configuration has already been locked by another user.
AVRS (Accelerated Virtual Switch) & VRS (Virtual Switch)
Increased Flow Scale for AVRS
For AVRS, the number of fast path flows can now be increased beyond the current limit of 200K flows up to 500K flows.
VM Re-attach on AVRS Restart and Upgrade
Prior to 6.0.3, if AVRS was restarted, the VMs on the compute node did not reattach to AVRS. With 6.0.3, AVRS has been enhanced such that after an AVRS restart, the VMs will reconnect to it and resume normal connectivity. Going forward this behavior will also apply in case of AVRS upgrades from 6.0.3 to a newer release.
Aggregate Flows for AVRS
Aggregate flows help reduce the overall fastpath flow table size and also would help reduce the flow churn for various Telco Cloud VNF use-cases (eg: vSBC) which require large amount of flows to be installed. VCS provides two modes of support for Aggregate Flows on AVRS. Release 5.4.1 enabled support based on Policy Based Routing (PBR mode). 6.0.3 release added support based on Routing and ACLs (Route mode). In the Route mode, 6.0.3 provided functionality for Static Routes, ACL and vPort stats, removal of default ACLs, Openstack integration (VSD Managed), BGP, IPv6 and support for enabling aggregation on multiple L3 domains. Support for underlay mirroring for Aggregate flows in Route mode was added in 6.0.4.
Advanced Traffic Mirroring (VRS)
- Mirror Destination Groups
A mirror destination group is a logical group of multiple mirror destinations that contains either underlay or overlay mirror destinations. You can create a mirror destination group in an L2 or L3 domain and associate the mirror destination group to ACLs within the same domain.
- Transparent ACLs
Transparent ACLs can be used to create multiple mirroring flows before any forwarding action is taken (drop/forward). The transparent ACLs have the highest priority within the ACL group and will be checked first to ensure that the ACLs get verified before forward and drop actions.
- Traffic Mirroring in Ingress ACL with DROP action
Support for applying a Mirror Destination (Single or Mirror Group) to Ingress ACLs when the action is set as DROP.
- Increased Underlay Mirror Destinations
The number of underlay mirror destinations has been increased from 16 to 128 destinations.
Flow Management for VRS (Beta)
VMs can create a large number of flows without any restrictions and can cause a denial of service to other VMs on the same VRS host. For example, in the event of a security attack on a single VM, many flows could be set up for the VM causing the datapath to be saturated. This would affect the serviceability of the adjacent VMs on the same hypervisor. VRS Flow Management provides the ability to configure flow limits per VM vPort, thus preventing a single misbehaving VM from consuming all of the flows in the datapath. This is a beta feature in this release.
DHCPv6 support for VM ports on VRS
Subnets supporting the IPv6 address family now support DHCPv6 for address assignment for VRS-based vPorts. Basic DHCPv6 options are supported (DNS servers, domain-search and FQDN).
WBX (Hardware Switch)
WBX Control Plane Hardware Queues Monitoring
WBX CLI commands have been added to show the CPU hardware queues. These commands show information about control plane protocols mapping in queues and packets received/dropped. Hardware queues are not configurable.
WBX Hypervisor Monitoring Enhancements
Support of having specific MIBs available from the SR OS VM to obtain information about the hypervisor status. MIBs are used to get information about CPU cores utilization, memory, and top processes.
BGP Peering to VNF Loopback Enhancements
Support of WBX peering to VNFs using BGP PE-CE, where BGP peering happens between the distributed WBX default gateway and the VNF IP loopback. BGP announced routes have the VNF loopback as next hop. In order to avoid tromboning to a single WBX (BGP speaker) and do load balancing, a proprietary extended community has been added. With this community, a non BGP speaker WBX can use a local vPort for the data plane instead of tromboning to the BGP speaker, allowing distributed ECMP. Support includes IPv4 and IPv6.
ACL Scale Enhancements
The WBX chipset allows configuring ACLs globally or assigning ACLs per packet processing pipeline. Starting in release 6.0.1, system supports enabling ACLs per pipeline, where all ports belong to one of a specific pipeline out of the 4 available pipelines. Mapping of ports to pipelines is fixed and not configurable. This enhance scale mode was available as a beta feature in in 6.0.1 and was not enabled by default.
Starting with 6.0.2 when the system comes up, the enhanced scale mode is enabled and ACLs are by default in pipeline mode, using the scalability of all pipelines. Use of the global ACL mode is also supported but requires a cold reboot.
CLI-based configuration of L3 Domains
Release 6.0.1 added the support of manually configuring L3 Domains from the WBX CLI, supporting host/bridge vPorts, IPv4 and IPv6, and static routes. Release 6.0.2 added the support for BGP PE-CE IPv4 and IPv6. Release 6.0.3 added the support for VIPv4.
IPv4 /31 mask subnets support
The use of IPv4 /31 mask subnets is a common practice in networking when configuring point to point interfaces, as it allows to save IP addresses, allowing two include hosts with a single bit. This feature, although already available in the CLI, can now be configured from the VSD as well.
DHCPv6 is now supported on WBX for both single-stack IPv6 and dual-stack subnets. The same restrictions as on the rest of the system apply, such as single IP address per vport served through DHCPv6, only host-vports supported and the only DHCP options supported are DNS server and DNS search domains. Leases are offered with infinite lifetime.
OpenStack-Client (OSC) Support
Both the python openstackclient and python neutronclient are supported. The neutron CLI commands are deprecated and will be removed in a future release. In this release, some of the openstack-CLI commands are available to be used with Nuage OpenStack plugin. Check the VSP OpenStack Neutron ML2 Driver Guide for more detailed information about commands supported in the latest release.
OpenStack per-Tenant Audit Tool
The Nuage OpenStack Audit tool is introduced to help administrators identify Security Groups and FWaaS rules inconsistencies between the OpenStack Neutron database and VSD policies. The audit can be now executed for specific OpenStack tenants by specifying the project-id.
Network Partition Mapping to OpenStack Project
Network Partition Mapping to OpenStack Project feature introduces the ability to change the system default netpartition on a per-project basis by mapping network partitions to Keystone projects. If this mapping is not defined for the project, the default network partition is used as specified in the system plugin configuration.
OpenStack Integration with vCenter and ESXi
6.0.4 release supports vCenter and ESXi integration with Openstack
Improved upgrade procedure with secondary VRS Agent to minimize VM traffic impact
A new upgrade procedure is available that minimizes the VM traffic impact in a VMware environment. The procedure uses a new feature where it is possible to deploy a secondary VRS Agent on an ESXi host that will remain active while the primary VRS Agent is being updated. More details can be found in the VMware Integration Guide.
Kubernetes 1.14 support
Pod networking for Kubernetes 1.14 is now officially supported.
VSS (Virtualized Security Services)
Flow Visualization Enhancements
Support for visualizing overlay and underlay flows based on flexible filtering criteria. In addition, new overlay flow visualization chart was added to visualize denied overlay traffic flows.
New interface to filter flows based on flexible criteria.
New TCA (threshold crossing alert) metrics to enable detection of port scan (Single source scanning a range of ports on a target server) and port sweep (Single source scanning a specific dst port/proto across multiple targets) security events.
Automated Policy Response
New TCA action to automatically add vPort to Policy Group is supported. This will enable existing vPort Policy Groups to be preserved while adding new Policy Group tag to a vPort to enable automated policy response.
Time Filter for Dashboards
VSS analytics dashboards support additional time-filter options for 1, 2, 4 and 8 hour reporting intervals. The default time-interval for VSS analytics reports is set to 15 minutes to optimize query performance.
ACL to Flow Mapping Enhancements
Flow Explorer GUI supports the ability for the administrator to fetch details on the ACL entry and virtual firewall rule entry matching the selected flow record. In addition, administrators can also view most recent 1000 flows matching Ingress/Egress ACL entry from VSD security policy GUI when VSS analytics is enabled.
Our commitment to our customer requirements is paramount.
R6.0 is an example of a release where we have implemented capabilities that have been requested directly by our customers. Listening to our customer’s requirements is our primary driver for roadmap priority and moving forward this will be a huge focus for us as we move into the era of 5G and IoT which will be sure to drive rapid requirements.