Software-Defined Networking (SDN)
- Cloud services require
- rapid provisioning and deprovisioning of server instances and networks
- use of overlay networks to establish logical point to point links quickly and reliably
- these components must be fully accessible to scripting (IaC)
Software-defined networking (SDN) is APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.
- is a model for how these processes can be used to provision and deprovision networks
- especially important for cloud services
- abstracts physical network devices, replacing them with a virtual control plane that makes all decisions regarding traffic management
- SDN application can be used to define policy decisions on the control plane
- they are then implemented on the data plane by a network controller application
- interfaces with the network devices using APIs
- they are then implemented on the data plane by a network controller application
- used to manage and provision physical and virtual network appliances
- fully automated
- extend the functionality and control provided by network segmentation by providing greater flexibility
- makes implementing networks containing only a single device manageable
- allows for building cloud-based networks
Network Functions
- With a vast array of devices to manage and configure, it is effective to use an abstracted model to define how the network operates
- network functions can be divided into three “planes”:
- Control plane
- makes decisions about how traffic should be prioritized, secured, and where it should be switched
- Data plane
- handles the switching and routing of traffic and imposition of security access controls (ACLs)
- Management plane
- monitors traffic conditions and network status
- Control plane
- a SDN application can be used to define policy decisions on the control plane
- decisions are then implemented on the data plane by a network controller application
- interfaces with the network devices using APIs
- decisions are then implemented on the data plane by a network controller application
Network Functions Virtualization (NVF) is provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.
Properties of SDN
- central policy management
- single “source of truth” for how the network should operate
- business and security rules are automatically converted into device configuration states
- central policy management but distributed policy enforcement
- status reporting ensures that “single pane of glass” monitoring and oversight is available to administrators
- transport agnostic
- overlay network can make use of any available forwarding fabric
- whether Ethernet, Wi-Fi, 4G/5G cellular, leased line, or satellite
- underlying network fabric is automatically configured to establish the logical network link
- overlay network can make use of any available forwarding fabric
- zero-touch provisioning
- When new nodes are deployed to the network,
- use automation to achieve the desired configuration
- rather than needing to be manually configured by a technician
- if network policies change,
- nodes are reconfigured automatically
- When new nodes are deployed to the network,
- application aware
- Forwarding nodes can identify types of traffic
- e.g., voice, video, IoT
- can reserve capacity for these applications to ensure:
- sufficient bandwidth
- low latency
- lossless transfers
- Forwarding nodes can identify types of traffic
SDN Architecture
- SDN model defined by IETF
- network functions are divided into three layers:
- application layer (top layer)
- applies business logic to make decisions about:
- how traffic should be prioritized and secured
- where it should be switched
- defines policies such as:
- segmentation
- ACLs
- traffic priortization
- applies business logic to make decisions about:
- infrastructure layer (bottom layer)
- contains the devices (physical or virtual) that:
- handle the actual forwarding (switching and routing) of traffic
- imposition of ACLs and other policy configurations for security
- contains the devices (physical or virtual) that:
- control layer (middle layer)
- principal innovation of SDN
- sits between the application and infrastructure layers
- functions of the control plane are implemented by a virtual device referred to as the SDN controller
- application layer (top layer)
- Each layer exposes an API that can be automated by scripts that call functions in the layer above or below
- interface between SDN applications and the SDN controller is described as the service interface or as the northbound API
- between the SDN controller and infrastructure devices is the southbound API
- network functions are divided into three layers:
- this architecture reduces risks with managing large and complex network infrastructure
- also allows for fully automated provisioning of network links, appliances, and servers
Management Plane
- In IETF’s SDN model,
- are separate forwarding (data plane) and operational planes at the infrastructure level
- operational plane implements device state
- e.g., CPU and memory utilization
- operational plane implements device state
- management plane sits at same level as control plane to interface with operational plane
- used to implement monitoring of traffic conditions and network status
- are separate forwarding (data plane) and operational planes at the infrastructure level