CN112039682A - Application and practice method of software-defined data center in operator network - Google Patents

Abstract

The invention relates to a method for applying and practicing a software defined data center in an operator network, which comprises an upper Openstack cloud platform, a middle SDN controller, a bottom hardware firewall, a load balancing device, a switch and other devices, wherein the data center verifies the network architecture of an SDN system in the following steps: the first step is as follows: constructing a DCI tunnel, opening a second layer of a data center network, simulating the data center into a standby data center, and testing and verifying the connectivity of the second layer; the second step is that: migrating the simulation production service to a new backup data center, recording the time of the verification service, solving the problem and testing whether the service provided by the backup data center can meet the requirement; the third step: modifying an old data center into a data center conforming to the network architecture of the SDN system, migrating the service, recording service migration time and influencing the service; the fourth step: and verifying the support condition of the current system network architecture to the live-both service. The invention has flexible realization mode, realizes network visualization and is convenient for troubleshooting.

Description

Application and practice method of software-defined data center in operator network

Technical field:

The present invention relates to SDN and Vxlan technologies of network data centers, in particular to a method for application and practice of software-defined data centers in operator networks.

technical background:

Driven by computing and storage virtualization, cloud computing has begun to popularize in data centers. Elasticity and automated deployment of computing storage can already be implemented maturely. But the network construction is still using the traditional model. Compared with computing, network construction, deployment, operation and maintenance are not flexible enough. In order to realize the flexibility, security and easy expansion of the network, SDN technology is introduced in the process of data center construction. Implement overlay (overlay network refers to a virtual network built on an existing network, and logical nodes and logical links form an overlay network) network to meet business isolation through SDN+VXLAN, and build a set of virtual networks for each business to meet business needs Personalized requirements, so as to achieve network flexibility and make the network closer to business needs. Introduce NFV, build a security resource pool through X86 virtual resources, and realize elastic supply of security resources according to business needs. Through the SDN service chain technology, the east-west traffic security of the resource pool is realized. Service automation is realized through the SDN controller, and the configuration can be delivered by the controller only by issuing requirements on the management page of the SDN controller. SDN can be connected with the cloud platform to realize cloud-network integration, and the automation of computing, storage, network, and security can be realized through the cloud platform. Through EVPN and the realization of VXLAN technology, the large layer 2 intercommunication of the card data center is realized. The large layer 2 technology is the key to realize unified management, resource scheduling across data centers, and cross-data center deployment of services.

details:

The purpose of the present invention is to provide a method for the application and practice of a software-defined data center in an operator's network, which has a flexible implementation manner, realizes network visualization, and facilitates troubleshooting.

The purpose of the present invention is to achieve: a method for the application and practice of a software-defined data center in an operator network, including an upper-layer Openstack cloud platform, an intermediate SDN controller, a bottom-layer hardware firewall, load balancing, switches and other equipment, and its data The steps for the center to verify the network architecture of the SDN system are as follows:

Step 1: Build a DCI tunnel, connect the simulated traditional data center with the current test center data center network at Layer 2, simulate the data center as a backup data center, test and verify the connectivity of Layer 2, and the feasibility of the data center acting as a backup center ;

Step 2: Migrate the simulated production business to the new backup data center, record and verify the business migration time, possible problems, and solutions, and test whether the business capabilities provided by the backup data center can meet the needs;

Step 3: Transform the old data center into a data center that conforms to the network architecture of the SDN system, relocate the business, record and verify the time of the relocation of the business, and the impact on the business;

Step 4: Verify that the current system network architecture supports active-active services.

The invention adopts the data center constructed by the new network technology. The upper layer includes the Openstack cloud platform, the middle layer includes the SDN controller, and the bottom layer includes hardware firewalls, load balancing, switches and other equipment.

The second step is to create a basic test business. According to the new Xinjiang mobile data center network architecture. Test whether the business can meet the requirements of the banking information system. At the same time, the openness and flexibility of the network architecture are tested.

The third step is to migrate some services in the test area to the data center, and arrange the new services to be built in the data center. Record, verify and compare the migration and cutover time, and compare the changes in the data center to meet the rapid provision of new service resources in the previous new service provisioning.

The fourth step is to study and verify the tool software at the data center operation and maintenance level, and compare it with the current business process.

The steps to verify the network architecture of the SDN system with dual/multiple data centers are briefly described as follows:

The first step is to build a DCI tunnel to connect the simulated traditional data center with the current test center data center network at Layer 2, and simulate the data center as a standby data center. The test verifies Layer 2 connectivity and the feasibility of the data center acting as a backup center:

The second step is to migrate the simulated production business to the new backup data center. Documents verify business migration time, possible problems, and solutions. And test whether the business capabilities provided by the backup data center can meet the demand.

The third step is to transform the old data center into a data center that conforms to the SDN system network architecture, and relocate services. Record and verify the time of business relocation and the impact on the business.

The fourth step is to verify the support of the current system network architecture for the active-active service.

List of experimental test equipment

Centralized Control Scheme

The SDN controller manages the network in a unified manner, and delivers network policies to the device through southbound protocols such as Netconf/OVSDB to realize the separation of control and forwarding.

All VTEP devices are registered to the controller, the controller will monitor the VTEP status,

The Controller cluster maintains network-wide forwarding entries, and supports obtaining network-wide forwarding entries in the following two ways: Subnet, VM IP, and MAC information from the cloud management platform; the first packet is sent to the controller, and the controller obtains VTEP by analyzing the first packet And the IP, MAC, Port and other information of the attached server, the controller carries the relevant information of the VM to notify the GW that the virtual machine is online.

Distributed Control Scheme

The SDN Controller delivers network policies to devices through Netconf.

The control plane realizes VTEP peer discovery and remote address learning through MP-BGP EVPN protocol; through protocol-based host MAC/IP distribution and ARP suppression on the local VTEP, network flooding is reduced.

EVPN-based control plane

1. Configure RR in EVPN (spine is recommended) and RR Client (all VTEPs);

2. RR Client and RR establish BGP neighbor relationship;

3. Use the extended NLRI carried by MP-BGP of EVPN to complete MAC and route synchronization;

1. When VM1 goes online, VTEP A synchronizes the MAC and host routes learned from VM1 to RR through the BGP extension protocol;

2. RR synchronizes the received routing update to all neighbors (VTEP B&C);

3. VTEP receives the BGP message, adds the learned MAC and IP address of the VM to the entry, the MAC is placed in the L2 entry of the same VXLAN, and the route is placed in the L3 entry.

Based on the comparison and analysis of two different implementation methods, due to the different implementation methods of the solutions, the applicable scenarios are also different. According to the analysis, the centralized control solution is more suitable for small data centers, and the network scale is limited. Distributed control is a better technical solution route for the current scenario

network infrastructure

Multiple virtual machines can be created on a server, and different virtual machines can belong to different VXLANs. VMs belonging to the same VXLAN are on the same logical Layer 2 network and communicate with each other at Layer 2.

Two VXLANs can have the same MAC address, but a segment cannot have a duplicate MAC address.

VXLAN edge devices perform VXLAN service processing: identify the VXLAN to which Ethernet data frames belong, perform Layer 2 forwarding of data frames based on VXLAN, and encapsulate/decapsulate VXLAN packets.

VXLAN realizes the isolation of virtual network and physical network by setting the intelligent entity VTEP at the edge of the physical network. A tunnel is established between VTEPs to transmit data frames of the virtual network on the physical network. The physical network is not aware of the virtual network. VTEP will encapsulate/decapsulate frames sent/received from virtual machines, which do not differentiate between VNI and VXLAN tunnels.

VXLAN uses 24 bits to identify Layer 2 network segments, and uses VNIs to identify Layer 2 network segments. Each VNI identifies a VXLAN, which is similar to VLAN ID. VNI occupies 24 bits, which provides nearly 16M available VXLANs. VNI encapsulates the internal frame (the frame originates in the virtual machine). Using VNI encapsulation helps VXLAN to establish a tunnel that covers the layer 2 network on top of the layer 3 network.

A logical tunnel for transmitting VXLAN-encapsulated packets between two VTEPs. After encapsulating VXLAN headers, UDP headers, and IP headers in the incoming tunnel, the encapsulated packets are transparently forwarded to the remote VTEP through Layer 3 forwarding, and the remote VTEP decapsulates the outbound tunnel.

A virtual switching instance that provides Layer 2 switching services for a VXLAN on a VTEP.

Network Deployment Requirements

VXLAN needs to add 50 bytes to encapsulate the packets sent by the VM, which requires a larger end-to-end MTU of the IP network.

Since a new VXLAN packet header is added to VXLAN, VXLAN network packets can no longer use the hardware offload capability of the NIC, which will cause the vSwitch that supports VXLAN to further occupy the CPU.

Requirements for interworking between Vxlan networks and traditional networks

In order to realize the intercommunication between VLAN and VXLAN, VXLAN defines a VXLAN gateway. There are two types of ports on VXLAN: VXLAN port and common port. It can bridge the VXLAN network and the external network and complete the mapping and routing between VXLAN ID and VLAN ID. Like VLAN, the communication between VXLAN networks also needs to be Support for Layer 3 devices, that is, support for VXLAN routing. Likewise VXLAN gateways can be implemented in hardware and software.

When receiving data from the VXLAN network to the ordinary network, the VXLAN gateway removes the outer header and forwards it to the ordinary port according to the original frame header of the inner layer; when data enters the VXLAN network from the ordinary network, the VXLAN gateway is responsible for marking the outer header. Layer header, and correspond to a VNI according to the original VLAN ID, and remove the VLAN ID information of the inner header. Correspondingly, if the VXLAN gateway finds that the inner frame header of a VXLAN packet still carries the original Layer 2 VLAN ID, it will directly discard the packet.

The simplest implementation of a VXLAN gateway should be a Bridge device, which only completes the conversion from VXLAN to VLAN, including 1:1 and N:1 conversion from VXLAN to VLAN. The complex implementation can include the VXLAN Mapping function to realize cross-VXLAN forwarding, and the physical form can be It is a vSwitch and a TOR switch.

The simplest implementation of a VXLAN router can be a Switch device, which supports functions similar to VLAN Mapping and implements Mapping between VXLAN IDs. A complex implementation can be a Router device that supports cross-VXLAN forwarding. The physical form can be vRouter, TOR switch, router.

Vxlan network security requirements

Like traditional networks, VXLAN networks also require security protection.

Security resource deployment on VXLAN networks needs to consider two requirements:

Security Control of Interworking Between VXLAN and VLAN

Traffic intercommunication exists between traditional networks and overlay networks. Security control of incoming and outgoing network traffic is required to prevent security problems between networks. In response to this situation, security resources such as VXLAN firewalls can be deployed at the location where the network communicates. The VXLAN firewall can function as both a VXLAN gateway and a VXLAN router.

Security control of interworking between different VXLAN domains corresponding to VXLAN IDs

The security of lateral traffic between VMs is a unique problem in a virtualized environment. In this case, traffic between different VMs on the same server may be directly exchanged inside the server, resulting in failure of external security resources. In response to this situation, you can consider using the redirected traffic drainage method for protection, or directly based on the virtual machine for protection.

Security resources in network deployment can be hardware security resources, software security resources, or virtualized security resources. It is recommended to use the security service chain mode to deploy security, and define the service chain model through the controller to realize the automation of security deployment.

Host deployment and physical location decoupling

By using MAC-in-UDP encapsulation technology, VXLAN provides a location-independent layer 2 abstraction for virtual machines, and the Underlay network and Overlay network are decoupled. What the terminal can see is only the virtual Layer 2 connection relationship, and is completely unaware of physical network limitations.

More importantly, this technology supports virtualization across traditional network boundaries, thereby enabling virtual machines to migrate freely, even across geographically diverse data centers. In this way, virtual machines can be accessed anytime, anywhere, regardless of their actual physical location.

Therefore, the location independence of VXLAN not only allows services to be flexibly deployed at any location, and alleviates the network expansion problem related to server virtualization; it also enables virtual machines to be accessed and migrated anytime and anywhere, which is the best solution for network resource pooling. It can effectively support the rapid development of cloud business, big data, and virtualization.

Distributed Gateway

In a distributed EVPN gateway network, each VTEP device acts as an EVPN gateway and forwards the traffic of the local site at Layer 3, which relieves the pressure on the gateway.

Distributed EVPN Gateway Deployment

Distributed EVPN gateways forward traffic in symmetric IRB mode, that is, Layer 2 and Layer 3 forwarding is required on the gateways (ingress gateway and egress gateway) connecting the source and destination nodes of packets. The symmetric IRB approach introduces the following concepts:

L3VNI (Layer 3 VNI, Layer 3 VXLAN ID): When traffic is forwarded between gateways through a VXLAN tunnel, traffic belonging to the same routing domain and capable of Layer 3 interworking is identified by L3VNI. L3VNI is uniquely associated with a VPN instance, and the VPN instance ensures service isolation between different services.

Router MAC address of the gateway: Each distributed EVPN gateway has a unique router MAC address, which is used to forward traffic between gateways through the VXLAN tunnel. When a packet is forwarded between gateways, the inner MAC address of the packet is the router MAC address of the egress gateway.

In the distributed EVPN gateway networking, the following types of VSI virtual interfaces exist on all distributed EVPN gateways (GWs):

A VSI virtual interface that acts as a distributed gateway interface. The interface needs to be associated with the VSI and VPN instance. The IP addresses of the same VSI virtual interface on different GWs must be the same, and the IP address is used as the gateway address of the virtual machine in the VXLAN.

VSI virtual interface that carries L3VNI. The interface needs to be associated with a VPN instance and L3VNI needs to be specified. VSI virtual interfaces associated with the same VPN instance share this L3VNI.

The border gateway (Border) also needs to have a VSI virtual interface carrying L3VNI.

Three-tier forwarding entry learning

Layer 3 traffic is forwarded by looking up FIB entries. FIB entries are generated from routing information or ARP information.

After importing an external route under the EVPN address family, the VTEP advertises the route and the L3VNI to which it belongs to the remote VTEP through MP-BGP. The remote VTEP learns the route and adds it to the FIB entry of the VPN instance corresponding to the L3VNI. , the outbound interface of the entry is the VXLAN tunnel interface (Tunnel interface) between the two VTEPs, and the next hop is the address carried by the NEXT_HOP attribute of the route (that is, the address of the peer VTEP).

ARP information learning on VTEP is divided into two parts:

Local learning: Learn the ARP information of the virtual machines in the local site. The VTEP learns the ARP information of the local virtual machine through GARP and RARP sent by the local virtual machine, and ARP requests to the gateway, and adds ARP entries and FIB entries. The VTEP determines the VSI to which the GARP, RARP, and ARP requests belong, and searches for the VSI virtual interface associated with the VSI. The outbound interface of the ARP entry and the FIB entry is the interface that receives the packet, and the VPN instance to which the entry belongs is the VPN instance associated with the VSI virtual interface.

Remote learning: learns the ARP information of virtual machines in the remote site. The VTEP advertises the local ARP information and the L3VNI to which it belongs to the remote VTEP through the MP-BGP protocol. The remote VTEP learns this information, but does not add ARP entries. Instead, the routing management module adds FIB entries. The outbound interface of the FIB entry is the VSI virtual interface associated with the L3VNI, the next hop is the address carried by the NEXT_HOP attribute of the route (that is, the address of the peer VTEP), and the VPN instance to which the entry belongs is the VPN instance corresponding to the L3VNI. The remote VTEP searches for the ARP information corresponding to the next hop and adds the corresponding ARP entry.

traffic forwarding

The distributed gateway forwards traffic in two ways:

Distinguish Layer 2 and Layer 3 forwarding modes: For Layer 2 traffic, look up the MAC address table for forwarding; for Layer 3 traffic, look up the FIB table for forwarding. In this mode, it is recommended to enable the ARP flood suppression function on the distributed gateway to reduce flooding traffic.

Full Layer 3 forwarding mode: For both Layer 2 and Layer 3 traffic, the FIB table is searched for forwarding. In this mode, the local proxy ARP function needs to be enabled on the distributed gateway.

Overlay network flow table routing

For a virtualized environment, when a virtual machine needs to communicate with another virtual machine, it first needs to obtain the other party's MAC address through an ARP broadcast request. Because the VXLAN network is complex and broadcast traffic wastes bandwidth, the ARP proxy function needs to be implemented on the controller. That is, the controller responds uniformly to ARP request packets without creating a broadcast flow table.

The general process of ARP proxy reply: the controller receives the ARP request message sent by OVS, and performs IP-MAC anti-spoofing processing to confirm the validity of the message, obtains the destination IP from the ARP request message, and uses the destination IP as the index to search the global The corresponding MAC is obtained from the table, and the found MAC is used as the source MAC to construct an ARP reply packet, which is sent to OVS through Packetout.

Cloud-Network Integration

The development trend of the data center in the future must be to build a cloud computing center. The virtualization of the host has reduced the complexity of business deployment, but the automation of cloud computing must be supported by network characteristics.

The network architecture supports visualization, software definition, and distributed networking. The automation technology reduces the complexity of management, provides a high-performance, high-reliability, and low-cost network architecture, forming a unified infrastructure for fast delivery of all network services.

The network architecture adheres to the concept of openness and can be integrated into any heterogeneous resource management platform or cloud platform as needed, and provides extensive support for standard protocols, including FCoE, 802.1BR, EVPN, VxLAN, OVSDB, OpenFlow and other protocols. Support, effectively preventing the risk of customers being locked into a single product and unable to migrate to new technologies.

The network architecture provides customers with different levels of automation means and technologies, including Turnkey mode automation functions, and automation means based on interfaces or third-party open source software.

The data center directly supports Fabric automation, which can automatically complete the automatic deployment until the IP is reachable based on role automation, reducing the workload of initial deployment.

The network constituent nodes of the data center include high-performance switching devices, which can support information collection, monitoring, and reporting capabilities for specific traffic, specific ports, or virtual networks from a chip perspective, and provide full visual presentation and graphical fault diagnosis with the SDN Controller. tool.

Aiming at the problem that resources are distributed among multiple data centers or multiple clouds, the data center supports the distributed deployment of multiple data centers. The virtual resource pool connection of the data center can comprehensively manage and allocate logical or physical resources located in multiple data centers.

safety

The traffic trend of traditional security protection depends on the topology, various manual configuration methods, static and decentralized configuration methods, non-reusable device processing capabilities, and vertical expansion of a single device. This protection mode does not meet the requirements for security protection in the cloud computing era.

In the cloud computing era, computing resources are pooled, computing resources can be freely scheduled and dynamically expanded, and network resources are pooled through VXLAN technology. As an important network service, security can also be flexibly resourced and can realize topology-independent automation. Deployment and management.

The deployment of security services in the solution is in the form of service chains.

The definition of the service chain is unified by the SDN controller, so that the security resources are independent of the topology. The benefits are:

1. The security service is based on the Overlay logical network, which does not require manual configuration and traffic drainage, and the service is automatically deployed. It brings users the benefits of rapid business online and automatic follow-up of business migration services.

2. Service resource pooling for on-demand use, linear expansion in various forms, and location independent. The business cost is reduced and the business scalability is strong.

3. The service node is separated from the forwarding node, and a flow classification is performed. Services can be orchestrated according to business requirements.

Controller cluster

OpenFlow 1.3 version supports multi-controller mechanism, which greatly improves the high reliability and performance of SDN network. Based on the multi-controller mechanism of OpenFlow 1.3, the role definitions in OpenFlow 1.3 are subdivided, and through expansion and innovation, controller clusters are realized, which greatly improves the high reliability of SDN networks.

Dual network card high reliability mechanism

Each SDN controller is connected to the SDN network through two network cards. In order to achieve better results, the two network cards are respectively connected to different switches. The two network cards on the controller are configured with IP addresses of different network segments, and have router functions, which can learn and advertise routes. Configure the loopback port IP on the controller. This IP is used as the controller IP address and is its unique address identifier in the network. Through this address, you can join the cluster and establish southbound or northbound connections. At the same time, pass the controller IP address through the network card. After publishing to the intermediate network, the intermediate network device and GW/VTEP will learn the route of the controller IP address.

The southbound connection between the controller and the GW/VTEP is made through the IP address of the controller, and any one of the two network cards can be used as the actual physical port between the two. When one of the network cards fails, the controller and the GW/VTEP are connected The routes between them are still reachable after convergence, and the southbound connection is not affected. In this way, the dual-NIC protection of the controller's southbound network connection is realized.

When creating a cluster, use the loopback interface address as the address of the controller in the cluster, select the loopback interface for the cluster NIC, and configure the cluster IP address as a 32-bit mask. The main leader in the cluster will advertise the cluster IP address to the intermediate network through routing. When devices in the network access the cluster IP address, they will directly access the main leader.

The dual-NIC mechanism enables the controller to support routing configuration, support multi-NIC Layer 3 access and Layer 3 path protection, and provide unified cluster address access. The specific advantages are as follows:

The controller accesses the user network through a routing protocol, learns the routes in the network and advertises any address available to itself, realizing a flexible routing strategy between the network device and the controller, eliminating the need for the current controller to choose a fixed network card. Restrictions on access to the network.

The controller can use a non-NIC address (such as a valid address configured on the loopback port) to establish a cluster or establish a north-south connection with other devices. After the address is advertised by the built-in router, the controllers can join the cluster normally as long as the route is reachable, and there is no longer any geographical restriction.

When a network device establishes a southbound or northbound connection with the controller through this address, each network card of the controller can be connected to the network at Layer 3 and act as a Layer 3 interface between the controller and external devices. Layer 3 interface backup can be formed when only one network card is used. The failure of a single network card on the controller will not affect the external network connection services of the controller, including the connection within the cluster and the network connection in the north-south direction, which greatly improves the access network of the controller. performance.

ISSU upgrade

During the operation of the SDN network, it is inevitable to upgrade the controller. How to ensure the smooth upgrade of the controller without affecting the actual forwarding service is an important indicator to measure the high reliability of the SDN network.

In the SDN controller cluster, the controllers in the Region can implement ISSU upgrade; during the upgrade process, SDN network forwarding can achieve zero packet loss.

Select a controller to upgrade, and switch the services on the controller to be upgraded to another controller in the region. After the service is switched, the controller to be upgraded will automatically exit the cluster, and then the new version of the controller will be upgraded. After the upgrade is completed, the controller automatically joins the cluster;

Follow the steps above to upgrade another controller in the region to complete the ISSU upgrade of all controllers in the entire region. After the upgrade is complete, the load is automatically shared between the two controllers in the region, that is, the region is re-switched.

Cluster virtual IP is highly reliable

The cluster northbound provides a unified virtual IP for interconnection with the upper-layer platform. The cluster virtual IP is managed and provided by the main leader controller.

When the main leader controller fails, the role of the leader in the cluster changes, and the new leader controller uses the same cluster address to provide services to the outside world. The role change in the cluster will not be perceived by external devices, achieving a true unified northbound service. .

openness

The open system of SDN solutions is reflected in the following aspects:

At the control plane, the SDN controller serves as the basis for modular software deployment, supporting standard protocols to control the network.

In the northbound direction, the SDN controller adopts the open Rest API/OpenStack Neutron plug-in to realize the connection with the cloud management platform; in addition, it also supports the Java API embedded interface. Based on this open interface, SDN APP applications can be developed and seamlessly embedded into the VCF control. server platform.

In the southbound direction, the SDN controller adopts the standard southbound interface defined in OpenDayLight, and currently it mainly adopts standard protocols such as OpenFlow, NETCONF, and OVSDB.

At the network element level, network devices use a unified operating system platform, which provides many open programming interfaces, such as RestAPI, Python, NETCONF, Yang, etc. In addition, the platform can also support third-party applications.

The above-mentioned open system ensures that the SDN solution can seamlessly connect with third-party cloud platforms and third-party network elements that follow protocols.

Extensibility

The SDN solution provides a forward-compatible RESTful API and virtual network object model; the fabric managed by the SDN solution is based on BGP EVPN and VXLAN, the overlay traffic model is better, and traffic is forwarded in IRB mode; the SDN solution controls the distribution and policies of the virtual network fabric, routing , forwarding entries and other resources are not limited by the Fabric single point specification.

The SDN solution supports the addition of physical network elements on demand, and the modular organization and construction of the Fabric. The SDN solution supports the hierarchical decoupling of the overlay control plane and the underlay control plane, enabling smooth expansion of network elements.

The export supports multiple Border devices. When the equivalent mode is adopted, the reliability of the export can be improved. When the non-equivalent mode is adopted, it can be flexibly scheduled according to different services.

Manage operation and maintenance

The traditional IT management platform focuses on the operation and maintenance of resources, and the management of computing, storage, and network resources is fragmented. IT capabilities rely too much on the experience and capabilities of personnel in various fields. The mapping relationship between business operations and physical resources occupied is not clear, and there is not enough time for IT to intervene when business fails. timely. According to a Gartner report, IT operation and maintenance management is shifting from resource-oriented management to business-oriented management. It is particularly important to gain insight into business operation data, delivery quality (user experience), and quickly diagnose operational failures.

The SDN controller has the ability to cover multiple stages from design, implementation, to monitoring and optimization. Compared with traditional operation and maintenance platforms, it has the following characteristics:

The whole process of data center planning is visualized, and the planning and arrangement of data centers can be inherited, retroactive, and deployable, decoupling IT capabilities and personnel capabilities.

Automated deployment, one-click construction of a data center, decoupling of configuration and equipment, reduction of the number of configuration files, and automatic and unified deployment of computing, storage, and network resources.

Comprehensive visualization of resource and business monitoring, providing mapping relationships and topologies between physical resources/virtual resources/services, and clarifying the use of physical resources by business systems.

Based on the multi-dimensional data of the data center, realize fault perception, end-to-end diagnosis and troubleshooting

Application-driven automatic optimization and adjustment to achieve application-oriented closed-loop operation and maintenance capabilities.

Data Center Planning & Design Orchestration

The SDN controller provides the operation and maintenance personnel with a unified planning and orchestration interface for data center networks and computing resources. The drag-and-drop operation can easily and quickly construct the global resource topology, effectively assisting the operation and maintenance personnel in planning the global resource capacity and configuration of the data center.

Data Center Capacity Planning

Based on the spine-leaf architecture, it distinguishes three networking technologies: centralized VXLAN, distributed VXLAN, and VLAN, and provides automatic calculation of data center capacity planning.

Based on the capacity requirements of the spine (convergence ratio, port type and quantity, etc.) or the capacity requirements of the server, the overall capacity planning of the fabric can be calculated, including the number of spine/leaf nodes, the number of uplink/downlink ports, and the number of servers.

After the calculation is completed, the planned topology is automatically generated based on the capacity planning result, including spines, leaves, and computing nodes with corresponding capacities. At the same time, the network and computing resources can be planned and arranged by dragging and dropping.

Data Center Initial Configuration Planning

It includes planning contents such as DDI configuration, network initial configuration strategy, server initial configuration strategy, etc., and finally completes the strategy planning based on the planning topology.

DDI Configuration Planning

Provides configuration of the DHCP server, IP address pool planning for network devices (spine and leaf), out-of-band network management for servers, and IP address pool planning for service ports.

Network initial configuration strategy planning

Guide to complete the initial configuration of network device automation, including the configuration file template that needs to be delivered to the device during the initial network setup process, automatic management interaction parameters (such as SNMP, NetConf), device software version, and the execution conditions of the above planning content. Automatic deployment policies that differentiate network roles (Spine/Leaf), location, model, and MAC address.

Server Initial Configuration Strategy Planning

Guide to complete the initial configuration of server automation, define the configuration templates that need to be delivered to the server during bare server deployment (including OS installation, management/service IP configuration, storage volume configuration, virtualization platform management, and network VLAN access), automatic Manage interactive parameters (such as iLO, IPMI) and the execution conditions of the above planning content, and realize automatic deployment strategies that distinguish server models, access locations, and serial numbers.

After completing the initial preparation for data center planning & design and arrangement, the installation and power-on process of physical devices/servers can be implemented at any time. The controller will automatically deliver the planning configuration and software to the devices, open up the network, and automatically allocate resources. Incorporated into the management of the controller. The deployment efficiency is nearly 100 times higher than the traditional manual mode.

Users do not need to actively participate in the deployment process. The system will record the deployment process in real time, and can fully grasp the deployment progress, which can be used to trace back and accurately locate the cause of the online failure.

The network automation process is as follows. The operation and maintenance personnel complete the installation and connection of the equipment room according to the plan. After the device is powered on, it obtains the TFTP IP and version file name through the DHCP Sever. The device downloads the corresponding version file from the built-in TFTP of the controller according to the role, and the device starts. Automate the process to complete related planning, configuration and enablement. And restart to complete the automated online process.

Devices managed by the controller can further complete maintenance tasks such as VLAN, ACL, configuration backup/software upgrade and status monitoring in the planning topology.

After the network automation process is completed, the O&M personnel can configure the Underlay, Overlay (VXLAN), service chain and other Fabric services in the controller.

Resource & Business Visualization

After completing the deployment and management of resources, the controller will focus on the visual monitoring of fabric resources such as network (underlay/overlay), storage, server, and virtualization, and can view and maintain resource status based on the department dimension.

Monitor the running status, configuration/software version, faults, device connectivity detection, traffic, and network topology of network devices.

View the VXLAN configuration information and monitor the service traffic information in the VXLAN.

Monitor the information, running status, and storage capacity usage of physical storage devices.

View server information and running status, support usage view of total server resource capacity, important events, and topology change display.

Can manage VMWare, KVM, HyperV, Xen, CAS and other multi-vendor virtualization platforms, support the creation, modification, configuration, clone, template, migration, monitoring of virtual machines

The ultimate purpose of data center operation & maintenance is to deliver user applications and services. Therefore, in addition to ensuring the status monitoring of the physical and virtual resource layers, monitoring must be performed from the application and business layers at the same time, and problems must be detected and corrected in time before the service quality declines. Governance. The controller realizes comprehensive visualization of applications, services, and traffic.

application visualization

Actively monitor the OS, database, middleware and other applications running on the server/virtual machine, reflect the availability and health status of the application in real time, and detect the abnormal operation of the application in time.

Traffic visualization

Realize data center traffic visualization through application/service traffic distribution, including application type, bandwidth occupancy, duration, trend analysis from outside/inside DC, and long-term data, and provide bandwidth quality assurance for data center applications and overall bandwidth Capacity planning to help.

From a business perspective, it integrates and analyzes the operating status of resources/applications in different dimensions, and presents the business health level with a preset business health evaluation mechanism and a simple and easy-to-understand interface, which greatly improves the efficiency of data center operation and maintenance.

Inspection and Diagnosis

The daily work of the data center operation and maintenance team requires a lot of time to be spent on inspection to find abnormalities, diagnose and locate problems. The controller automates such work by providing multi-angle inspection & diagnosis tools, and the operation and maintenance personnel Free yourself from these repetitive tasks.

First of all, in the form of virtual reality, you can control the perspective of the simulated inspector, step into every corner of the data center, and realize the inspection of the data center computer room. Including the power environment of the computer room, the status of the rack, and the equipment, it is clear at a glance.

Automated equipment inspection, by defining equipment inspection items, inspection periods, abnormal judgment criteria, etc., to form an inspection strategy, and check the hardware, software running status, load status, protocol running status, and security of the equipment, and the delivery cycle Sexual inspection report.

End-to-end service diagnosis (E-E Troubleshooting): After an abnormality is found in the inspection, a series of diagnostic methods such as alarm analysis, system analysis, connectivity detection, protocol analysis, and radar ping are used to determine the root cause of the fault for subsequent resolution and optimization. Provide evidence. For example, system analysis can detect factors such as Host CPU/disk over-provisioning, IOPS analysis, etc.; connectivity detection includes factors such as vSwitch, VLAN binding, VSI tunnel configuration, and routing configuration analysis; protocol analysis includes ACL rule conflicts, firewall policies, services Analysis of chain strategy, etc.

Application-driven automatic optimization

Through visual monitoring, alarm analysis, inspection analysis and other means, after actively or passively discovering resource and business exceptions, they can be processed and resolved in a timely manner through response management, and the exceptions can be closed. In particular, the diagnosis and response from the application/business layer drives the automatic optimization of the data center, the value orientation is clear, and the optimization effect is more direct.

Security Incident Response Details

The controller can perceive application/service quality degradation through performance, events, traffic and other operation and maintenance data, and implement end-to-end dynamic resource scheduling through application-oriented response policies. Notify administrators through various methods (such as email, SMS, sound, SNMP Trap, etc.), and trigger response processing actions, such as QoS, security policies, service chain policies, custom scripts, etc., to quickly restore application/service quality, and achieve oriented Application closed-loop operation and maintenance capabilities.

Dual data center interconnection

EVI technology can provide an operation-optimized solution for extending Layer 2 connections across any transport network. Therefore, EVI plays a key role for efficient deployment in distributed data centers, enabling application reliability and flexible workload migration. By using MAC address routing rules, EVI can provide an overlay network that enables Layer 2 connectivity between scattered Layer 2 domains while maintaining the independence of these domains and the fault tolerance, resiliency and reliability of IP interconnection. Load balancing advantage.

EVI networking solution

In the EVI networking solution, it is not necessary to consider the network type between the data centers. It is only necessary to ensure that the IP addresses between the EVI edge devices (Edge Devices) are reachable to realize the Layer 2 interworking between the data centers. An EVI tunnel is established between EVI edge devices, and Ethernet packets can reach the Layer 2 domain of another data center through the tunnel, realizing Layer 2 interconnection.

EVI technology can be used in combination with IRF technology to ensure HA performance and dual-homing design of edge devices. In addition, if the data center aggregation switch also supports IRF, the link bandwidth utilization and HA performance between the edge device and the data center aggregation switch can be effectively improved.

EVI technology has the following advantages:

Sites are independent of each other: After the sites are interconnected at Layer 2, the failure of one site (such as a broadcast storm) will not be transmitted to other sites, and the topologies of different sites will not affect or depend on each other.

Low technical requirements: only the service provider network is required to support IP, and there are no other special technical requirements.

High reliability: Uses multi-homing to provide redundant access to sites and has mechanisms to avoid traffic loops between sites.

High link utilization efficiency: Multicast and broadcast traffic between sites is fully optimized to save bandwidth, and load sharing can be achieved when redundant links exist.

Flexibility: Layer 2 interconnection between sites does not depend on the topology of the site, and there are no special requirements for the topology of the site.

Simple and low-cost operation and maintenance: Only one or more EVI-enabled devices need to be deployed at the edge of the site, and no changes are required to the enterprise network and service provider network. In addition, the configuration on the site edge device is simple, and the deployment process does not affect traffic forwarding.

The construction of major data centers in Xinjiang has completed the construction of the local Nanhu Data Center, Beijing Road Data Center, and Karamay Data Center. All three data centers have been cloud-based. After the local test is completed, it will be deployed and implemented in the Nanhu Data Center and the Beijing Road Data Center to realize cloud-network integration. The Nanhu and Beijing Road data centers are connected to the second floor through the EVI solution. Later, it is planned to deploy an SDN network in Yunda to realize the Nanhu Data Center, Beijing Road Data Center, Karamay Data Center, and the three major data centers. Unified management and unified resource scheduling.

Through data center network SDN realization:

Business flexibility: Decoupling of computing and network enables consistent access of virtual machines in different locations and data centers.

Rapid service launch: The network of service requirements is realized through the virtual network, and the automatic deployment of computing, network, and complete resources is realized through cloud-network integration.

Security: Multi-tenant security isolation, multi-tenant isolation is achieved through vxlan technology, and east-west access security is achieved through NFV and service chain technology.

Automatic and intelligent operation and maintenance: visualized intelligent operation and maintenance, realizes network and security visualized management, realizes network-wide intelligent perception and automatic prediction. Reduce operation and maintenance risks and improve operation and maintenance efficiency.

Multi-center unified management: realize the interconnection between the Beijing Road and Nanhu data centers on the second floor, and realize flexible scheduling of computing data centers.

The present invention solves the following problems in the existing network

1. The multi-tenant isolation solution and configuration of the existing network are complex. It needs to implement network isolation through VPN and VRF technology. The configuration and implementation are complex, and the fault is not easy to troubleshoot.

2. It is difficult to implement the existing network layer 2. The host, virtual machine and location are bound, which cannot effectively mobilize the resources of the entire network. However, changing the location of the device requires a large number of network configurations to enable the device to go online.

3. When a business is online or adjusted, the network needs to manually log in to the network and security devices to do a lot of network configuration work. Replacement work in the event of equipment failure is also very large.

4. The business requires security resources and requires a long procurement cycle, high procurement costs, and manual configuration of complete protection strategies.

Use SDN and Vxlan technology to solve the above problems

1. Service isolation is realized through vxlan, and the realization method is flexible. Tunnel establishment is realized through EVPN, and overlay service plane is realized, and SDN technology is used to realize network visualization, which is convenient for troubleshooting.

2. Realize location decoupling, physical machines and virtual machines can be migrated according to requirements, and network configuration and security policies are automatically issued by the SDN controller.

3. The overlay network can be implemented through SDN technology when new services are launched, which can flexibly meet business needs, and the network configuration can be automatically delivered through the SDN controller.

With NFV technology to achieve security x86 pooling, and through SDN service chain technology to achieve security automation orchestration, to achieve security automation).

Description of drawings

The present invention will be further described below with reference to the accompanying drawings. FIG. 1 is a network architecture diagram of the present invention.

Detailed ways

A method for the application and practice of software-defined data centers in operator networks, as shown in Figure 1, including the upper-layer Openstack cloud platform, intermediate SDN controllers, underlying hardware firewalls, load balancing, switches and other equipment, and its data center verification The steps of the SDN system network architecture are as follows:

Step 1: Build a DCI tunnel, connect the simulated traditional data center with the current test center data center network at Layer 2, simulate the data center as a backup data center, test and verify the connectivity of Layer 2, and the feasibility of the data center acting as a backup center ;

Step 2: Migrate the simulated production business to the new backup data center, record and verify the business migration time, possible problems, and solutions, and test whether the business capabilities provided by the backup data center can meet the needs;

Step 3: Transform the old data center into a data center that conforms to the network architecture of the SDN system, relocate the business, record and verify the time of the relocation of the business, and the impact on the business;

Step 4: Verify that the current system network architecture supports active-active services.

Claims (1)

1. The application and practice method of software-defined data center in operator network, including upper-layer Openstack cloud platform, intermediate SDN controller, underlying hardware firewall, load balancing, switch and other equipment, the data center verification SDN system network architecture steps are divided into The steps are as follows: Step 1: Build a DCI tunnel, connect the simulated traditional data center with the current test center data center network at Layer 2, simulate the data center as a backup data center, test and verify the connectivity of Layer 2, and the feasibility of the data center acting as a backup center ; Step 2: Migrate the simulated production business to the new backup data center, record and verify the business migration time, possible problems, and solutions, and test whether the business capabilities provided by the backup data center can meet the needs; Step 3: Transform the old data center into a data center that conforms to the network architecture of the SDN system, relocate the business, record and verify the time of the relocation of the business, and the impact on the business; Step 4: Verify that the current system network architecture supports active-active services.

Images