Shulou(Shulou.com)06/02 Report--

This article shows you how to deploy the wide area network traffic scheduling SDN controller based on BGP protocol in the banking industry. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Solutions that deploy SD-WAN in a real user environment often encounter the following problems:

Need to purchase new hardware or software CPE, although this cost has a certain degree of savings compared with the purchase of traditional equipment, but the resulting personnel training, system integration and other expenses is still a large amount of expenditure.

How to make full use of existing network resources to protect existing equipment investment?

When the choreographer or SDN controller fails, how to make full use of the existing network resources to provide escape channels?

This paper introduces a traffic scheduling SDN controller (BGP TE controller) based on BGP protocol. BGP TE controller integrates the concept of SDN and optimizes the traffic scheduling characteristics and needs of enterprises and banks; sends traffic scheduling strategy through BGP Flowspec protocol, dispatches traffic to relevant ports, and optimizes the path of traffic through the network through BGP Segment Routing Policy. The underlying network can be the user's existing network equipment to support FlowSpec and Segment Routing through software upgrades. The controller has been successfully deployed in the backbone network of a domestic bank to realize the traffic scheduling of the network and specific services.

Background

As the basic elements of SDN network, programmable network element equipment needs to provide different levels of API interfaces (control plane and management plane); SDN controller collects network topology, resource information and traffic information through these API interfaces, based on which SDN controller can abstract, simulate, schedule and monitor the network. The network automatic scheduling system manipulates the network model through the northbound API interface of the SDN controller to complete the scheduling of network services. The basic model of programmable devices is shown in the following figure:

BGP Flowspec

If you need to determine how to forward traffic based on the seven tuples of the IP packet (source and destination IP addresses, source and destination port numbers, protocol numbers, QOS tags, interface indexes), the traditional practice is to configure PBR (Policy Based Routing) on the router port. Flowspec is an extended address family in the BGP IPv4 address family, which can realize the user's policy: the traffic information that needs to be matched (such as the seven tuples of IP packets) and what actions to take after matching (current limiting, redirection, changing QOS tags, etc.) are packaged and sent to the target device through BGP, so as to achieve PBR function through Flowspec without the need to configure the device. For more information, please see RFC5575 [1].

BGP Link-state

In order to achieve traffic scheduling, the controller needs to know the network topology information (network nodes, link interconnection relations), network resource information (nodes, link bandwidth and other related attributes). This information is transmitted through IGP (OSPF/ISIS) protocol. In order to obtain the relevant information, the controller needs to join the IGP domain or log on to the device through the command line to collect. These methods are not only complex to implement, but also poor timeliness. BGP Link-state is a new address family in BGP protocol. The real-time network topology and resource information in IGP protocol can be packaged and transmitted to the controller through BGP. The specific functions are detailed in RFC7752 [3]. Not only that, another new rfc draft [4] can transmit the running status of each SR-Policy to the controller through BGP Link-state.

Through the expansion of the above three protocols, the use of a single BGP protocol has been able to achieve the collection of network and resource information, the distribution of traffic scheduling policies and policy implementation feedback. Not only that, the BMP protocol (BGP Monitoring Protocol) can be used to monitor the running status of BGP in devices in real time through in-band or out-of-band networks. Coupled with the test of the stability, expansibility and multi-vendor interoperability of the BGP protocol by the Internet for more than 20 years, the modern BGP can completely assume the important task of the underlying control protocol of SDN.

Demand and Challenge of wide area Network Traffic scheduling of a Bank in China

The wide area network of a bank is designed to have two places and three data centers and self-built backbone networks. The regional center is connected to the access node of the backbone network through three WAN links, and the transmission link leases the lines of three domestic operators, as shown in the following figure:

The simplified backbone and branch networking method is shown in the following figure:

The backbone network design has three logical planes, each plane consists of multiple cores and access routers are interconnected through WAN lines, and there are several WAN lines interconnected between the planes; the backbone network runs OSPF protocol to avoid traffic crossing the plane under normal operating conditions through OSPF metric adjustment The branch network is connected to the backbone network through three routers, the OSPF is run between the branch routers, and the eBGP protocol is run between the branch routers and the backbone network. Through the routing policy adjustment of eBGP protocol, the traffic to DC1,2,3 of the three routers passes through the plane respectively.

The traffic scheduling requirements of this user are as follows:

Easy to learn, easy to use, controllable

Try to use the network technology that users are familiar with to minimize the user learning curve; at the same time, it needs to have a good user interface to make it easy for operators to operate. The operation status and effect of the scheduling strategy should be clearly visible to facilitate the management and control of the operation and maintenance personnel. in the case of controller failure, it is necessary to use the existing network protocol as the escape channel to avoid traffic abnormal forwarding or black hole caused by the controller off the network.

Difficult to design and deploy

There are many types and number of equipment in the user backbone network, and many new protocol stacks, such as Openflow, Netconf, PCEP, etc., need to update the hardware and software of the existing network equipment to support it. Moreover, with the rapid development of SDN, new technologies emerge one after another, and the version of the protocol is iterated rapidly, which requires high compatibility and interoperability of equipment.

Due to the jitter of some WAN links leased by operators' MSTP,MSTP lines, the controller not only needs to quickly perceive the changes in the network topology, but also to effectively deal with the link jitter scenarios. However, if we completely rely on the SDN controller to adjust the real-time network topology changes, the operation of the network will be under great pressure and dependence on the controller, and the controller itself may become a performance bottleneck, so it is necessary to make full use of the processing power of the network equipment and the controller to perform its own duties.

The requirement for uplink and downlink traffic to take the same path is challenging. It is well known that network equipment processes each IP packet according to the hop-by-hop forwarding mechanism and does not identify the upstream and downlink traffic of a pair of communication endpoints. It is necessary to generate a two-way traffic scheduling policy to ensure that uplink and downlink traffic follows the same network path. And traffic can not be scheduled only according to the way of destination address, but according to the combination of source address and destination address.

In order to provide an escape channel, when the controller is online, the scheduling policy sent by the controller needs to have the highest priority on the target device. once the controller is lost, the network device needs to delete the policy sent by the controller and convert it to forward according to the routing table of the device. in this way, the role of the controller is to optimize the use of network resources That is, the centralized control of the controller is combined with the distributed control of the network equipment, rather than the way similar to Openflow, the controller becomes the nerve center of the network.

Session with backbone BGP RR (Route-reflector), with BGP Flowspec address family enabled for real-time collection of backbone topology and resource information

For the iBGP session with the branch, only the BGP Flowspec address family is enabled, and traffic is scheduled to the WAN link interconnected with the backbone according to the 7 tuples of IP.

The iBGP session with the backbone network PE enables BGP Flowspec and the SR-Policy address family to schedule user traffic to different SR-TE paths, thus realizing the requirement of traversing the backbone network according to the user-specified SLA (delay, bandwidth, link cost).

The basic usage scenario of the BGP TE controller is shown below:

Users need to schedule the traffic from branch 1 (IP address a.a.a.0/24) R1 router to DC1 (IP address b.b.b.0/24 application port: ccc) from plane 1 to plane 2, and the business needs to take the network path with the minimum delay. In order for the reader to see how the strategy works, the strategy is simplified in the following instructions:

1. The controller generates and issues two SR-Policy policies

The controller collects network topology and resource information through BGP-LS, calculates the bi-directional SR-TE Policy from PE2 to PE4 according to the user's policy configuration, and calculates the protection path in plane 2, and sends the policy to PE2 and PE4 through BGP SR-Policy (thick green lines in the figure), so that if the main path in plane 2 fails, the router can quickly switch traffic to the protection path.

two。 The controller generates and issues two Flowspec policies:

a. Strategy 1: match traffic (source IP:a.a.a.0/24, destination IP:b.b.b.0/24, destination port: ccc) and redirect traffic from to PE2. The policy is sent to R1 via Flowspec

b. Strategy 2: match traffic (source IP:b.b.b.0/24, source port: ccc, destination IP:a.a.a.0/24), and traffic is redirected from PE2. The policy is sent to PE4 via Flowspec

When the traffic enters R1, the router checks the IP packet according to the Flowspec policy, and forwards the packet according to the routing table if it does not match the Flowspec condition. If the Flowspec condition is matched, the packet is forwarded to the PE2; packet and after arriving at the PE2, it enters the SR-TE Policy tunnel to PE4;. The IP packet on the PE4 is forwarded to the relevant router within the DC1 according to the local routing table. The downstream traffic is basically the same as the upstream traffic, so it will not be repeated here.

Because the bidirectional SR-TE Policy is calculated by the controller, and through the Flowspec at both ends of the network, only the traffic that meets the policy requirements can enter the relevant Policy, which ensures that the bidirectional traffic traverses the same network path.

When the backbone topology changes (for example, the WAN link is down, or the router is offline, etc.):

The real-time network topology can be collected through the BGP-LS controller, and the controller can calculate and update the released Policy according to the latest network topology.

When link jitter occurs, the controller suppresses the time of policy update and sends the new policy to the relevant router after detecting the stability of the link for a period of time, thus avoiding the impact of link jitter on the stability of the policy.

When the router receives the Flowspec and SR-Policy policies, whether the policy can take effect on traffic depends on whether the policy can pass the validity check of the router. For example, in the Flowspec policy 1 in the above example, if the redirected destination IP address (PE2) is invalid (for example, the link of the branch connection PE2 is down, PE2 is offline, etc.), the policy will not pass the router validity check. This strategy will not have any impact on traffic. Taking full advantage of this mechanism, the controller does not need to respond to events in any network in real time. As shown in the example above, if the PE2 is valid when Flowspec policy 1 is just issued, policy 1 passes the validity check of the router and can schedule traffic passing through the router. When the network runs for a certain period of time, due to the failure, the PE2 is unreachable, the router will immediately detect the occurrence of this event and immediately invalidate policy 1. At this time, the traffic will be forwarded according to the routing table when it reaches R1, thus minimizing the impact of network changes on traffic. On the other hand, the time for the controller to detect the occurrence of the event will lag behind the router for a few seconds, and the controller will recalculate the relevant policy and send the new policy to the relevant device.

BGP-TE controller embodies the flexibility, practicability and necessity of SD-WAN through two-way control. Flow control not only based on IP, but also based on application port is the actual demand of many customers in the financial industry. At present, many policy-based SD-WAN solutions in the market, such as IWAN,VIPTELA,VECOLOUD, need to implement hop-by-hop control through policies. Under the existence of multi-hop ring networks such as core networks, the configuration and maintenance of policies are complex. The SD-WAN solution based on BGP protocol perfectly combines the policy control based on application identification on the access side with the core network MPLS TE technology, and succinctly realizes the complex flow control requirements of financial users.

The deployment of SDN can help the bank network speed up business innovation, improve the utilization of network resources, optimize business experience, enhance market competitiveness, and gradually realize the evolution from operation and maintenance to operation. The BGP TE controller introduced in this paper makes use of the idea of SDN and makes full use of many extension technologies of BGP protocol (such as BGP Flowspec, Segment Routing Policy). It successfully realizes the wide area network traffic scheduling function on the basis of protecting the original network investment and keeping the original operation and maintenance system to the maximum extent. it is a useful practice of wide area network traffic scheduling SDN deployment in domestic banks.

The above is how to deploy the wide area network traffic scheduling SDN controller of BGP protocol in the banking industry. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.