Quantcast
Channel: Cupfighter.net » Networking
Viewing all articles
Browse latest Browse all 13

Schuberg Philis cloud L2-L3 Use Case

0
0

How can you connect existing customers with a legacy infrastructure  to a virtual infrastructure in a cloud or how can you extend these infrastructures with a virtual infrastructure?
The answer is actually very simple when your Cloud infrastructure is using Nicira NVP, because this will give you the possibility to use their cool NVP Gateway. If your cloud infrastructure happens to be controlled byCloudstack, most if not all configuration can be done using the UI.

The diagram

Layer 2
The underlying network  heart is based on four core Arista switches (mlag interconnected) stretched over two datacenters in Amsterdam with dedicated CWDM fibers.
Each rack contains a single top of rack switch connecting all the hypervisors. The top of rack switches are redundant aggregated to the core switches with an etherchannel.
Both datacenters have the same infrastructure and, are active-active because of the stretched vlans and are predictable because of the ‘simple’ core-leaf setup. This simple setup with an extended vlan structure is only possible when the datacenters are relatively close to each other.
The hypervisors have two 10Gb interfaces for the Transport and Data connections with specific access-port and trunk configurations on the switch. The physical Layer 2 design is flat: every pod/tenant has a transport vlan for the STT tunneling, an admin vlan for the hypervisor/vm and a public internet vlan.

Layer 3
Routing is divided in Cloudstack/Nicira (SDN) and non-Cloudstack/Nicira ‘standalone’ devices.
The standalone services are the frontend BGP devices and the firewall device between the cloud infrastructure, the management/admin/orchestration network and existing customer infrastructure.
The BGP routers are two redundant Linux VM’s which have each two ISP uplinks with a default gateway setup. For the VM’s the BGP routers also serve a hsrp/vrrp service for default gateway functionality. Network security is partly done with IPtables on the VM’s.
The firewall is a redundant FreeBSD physical machine to ensure 10Gb wirespeed (as much as possible) between the orchestration, hypervisor admin and customer networks.
The virtual routing is provided and orchestrated from Cloudstack/Nicira with their NVP gateway.

Nicira services

Service Node – The service node is used to offload various processes from the hypervisor nodes, like Broadcast, Multicast , and unknown unicast traffic flow via the Service Node.

Controller Cluster – The Nicira NVP controller cluster is made up of three servers that essentially maintain the flow state database. The state database contains the authoritive list of all flows present in the NVP network.  Manipulation of the state database is provided through the Nicira NVP API. The Cloud Management System, (CMS) interfaces directly with the API. For redundancy (and maintenance) a minority of the total nodes at a time can be shut down while still maintaining control over the flows and access to the API’s by the CMS. The control cluster pushes flows to the various Open vSwitches but does not actively participate in the traffic flows of Virtual Machines between transport nodes.

Open vSwitch (OVS) – Open vSwitch is the intelligent edge component that is integrated into various Hypervisors like XENServer and KVM and is controlled by the controller cluster.  The OVS is aware of each controller cluster node so if one becomes unavailable it can still reach the others once it has been registered with the controller cluster.

L2 or L3 Gateway – This is a single installation but can vary its identity based on how it is configured and added to the Nicira NVP infrastructure. What makes it unique is the Layer 2 or Layer 3 Gateways provided as a generic  a Gateway Service within NVP. Virtual Layer 2 bridges or Layer 3 routers cab use one or more gateways to gain High Availability. This also means that tenants can share the gateway services without requiring individual gateways per tenant.

The actual use case
An existing customer with a dedicated switch/firewall/loadbalancing infrastructure from vendor XYZ. The customer is servicing a web portal and needs more (flexible) application and database power.
In order to extend the customer with more virtual power the choice has been made to connect with internal cabling to the cloud  infrastructure. Actual this can be anything, as long there is a layer 2 or 3 path available.

At the customer premises a Nicira gateway is deployed with one trunk interface in the customer application vlan 400 and database vlan 200. The second interface (access-port) is the transport network vlan 701 to the customer switch in the cloud (connects all customers infrastructures). The Layer 2 gateway supports bridging the traffic between the STT tunnels  and the customer physical vlans 200/400 and the virtual vlans 200/400 in the cloud. In the virtual domain Layer 2 gateways are configured to connect selected logical switches to the mentioned vlans in the physical domain.

Isolation between the customer infrastructure and the cloud related infrastructure is accomplished with a physical inline layer 3 device. The customer switch has access-ports to the customer Nicira gateway and a galvanic isolation to the cloud network with the physical firewall.

The physical firewall secures the STT endpoint connections between the cloud hypervisors and the gateways in the different infrastructures and routes the various networks.

In Cloudstack is the new tenant provisioned with the virtual vlan networks 200/400, the service nodes and the VM hosts.

Create a transport zone:

Link the zone to the hypervisors:

Setup the network service provider:

Configure a physical network, traffic tag links to “integration bridge”:

When the STT tunnel is up and running you have extended the physical customer network to the cloud SDN network. Now you can use the cloud VM’s as if they are in the same network as the existing customer hosts.

Configure service offerings and add the tenant networks.


Viewing all articles
Browse latest Browse all 13

Latest Images

Trending Articles





Latest Images