 Okay, so what I wanted to talk about today is how do you do SDN with multiple BGPASs? Essentially this can come into play in a service provider arena and you can also choose to do this in data center as well, so let's get started. So essentially what are some of the use cases? Well, for one that we have we want to virtualize all the extraneous equipment in our customer prems, so let's say I want to offer like a firewall or an IDS or UTM type of thing, malware, URL filtering thing, today what we do is we roll a truck, so we have to go disrupt the customer's experience. We have to install a new piece of gear, make sure it's configured properly, cross our fingers that it works when our technician leaves. So what we want to do is virtualize all that so that we can pull it all back to the cloud. Essentially all the customer gets is the access node that is required to get them access in the first place and then everything else is done via a virtual machine. So another, this is just kind of an offshoot of this is seamless segmentation of tunneling technology. So think of like, VXLAN has about 16 million in change when it comes to IDs, unique tunnel IDs, and MPLS by its nature can be segmented via IGP. So for every area in OSPF or every level one in ISIS you can pretty much reset the paradigm when it comes to tunneling. So what challenges do we have? So in our network we do multiple BGPAS, most providers do this, they have an AS for their residential network, they have an AS for their commercial network. Some people in data centers choose to do this as well by virtue of every pair of top of rack switches has their own, BGPAS, the core has a different one, so they do this for a couple of reasons, some of it troubleshooting, some of it kind of segmenting of a route scope. So this provides some challenges to be able to get between ASs, in our case we have two different vendors, one in our commercial network and then a second one in our residential network and we have a difficult time lining up what tunneling protocols you can actually use between the two based on their support and the way they're configured. Some are more flexible than another, some kind of it's an all or nothing thing, either you bind to GRE or you bind to MPLS, you can't do both and we've already extensively deployed MPLS in our network. So another thing you kind of get into is another challenge we have is MTU size, we have to work down the lowest common denominator and oftentimes that is an access node, I think of like in the cable world, CMTS, in the telco world, a DSLAM, those types of things, in the cable world a CMTS today supports an MTU size of about 1527, so if I want to put anything behind it that doesn't need sort of tunneling, we have to take that into account otherwise the customers can't do trivial things like banking and day trading and things of that nature. So what do we care, end points are ever increasing, I think we can all accept that VMs are just going to increase more to be able to get more blood out of the stone, i.e. the customer, we need to provide more services and that doesn't mean always in the data center it may mean that we have to put that on the premise too, there's some advantages to doing that, you can get certain efficiencies out of it, but at the same time we need the flexibility to pick and choose what we do, so I've listed a few of these, so what's some of the problems we have with the increasing size, well some technologies don't do, it's difficult, there's not an elegant way to stitch between domains, I was thinking of like a containerization, it will just explode as far as the amount of containers that you use and while they kind of group together you can kind of see that this is just the tip of the iceberg, IOT I put that on there, I'm not really sure what that means for us, but I think we could probably put it on the list of things that we need to do and to make sure we get in the game of it, at the end of the day we need to be able to operationally scale this without a whole lot of effort and allow a whole lot of rethink, so we need to be able to slice and dice tunneling domains at will, I need to be able to simply to say okay well this tunneling domain is getting too big, I just need to chop it up and make it two parts and I want to be able to do that without really having to do a whole lot of rethink other than just do the work to make it happen, obviously another consideration is I'm sure everyone's kind of in this boat of you know multi-vendors just a reality, we all have either legacy things or you know we choose to have multiple vendors to keep all the vendors honest, I think you know pretty much everybody does this, and just a little blurb about MTU implications, so VX LAN costs about 54 bytes extra on MTU, MPLS costs about eight, that's a little bit variable essentially the eight is what an end point is, so you need a VPN label and then you need a service label on top of it, for transit points there's more that comes with that as they have to have bypass labels and such, and if you get into things that are even more complicated like carrier of carrier that increases the label stack, but in general for end points it's eight, so again as I mentioned before VX LAN it scales about 16 million and then you have to figure out how to how to stitch together, MPLS based on the its nature of being able to scale based on the IGP that a local IGP that it's ran on can scale infinitely, it doesn't really require any particular set of IDs, it can be it can be ran ad nauseam over and over again, so let's take a look at what we have as far as options for in the case of having multiple BGPASs as we do with it between our commercial and residential network, so the first option is layer three VPN option A, this is kind of popular with the telcos when you want to do a carrier of carrier type of thing, so essentially what you do is you configure back-to-back L3 VPNs, they don't know about each other other than that they know that they're trading routes between the L3 VPNs and you attain connectivity that way, so some pros to this are again it's the typical method that carriers allow other carriers to get across their network, cons are this is this is a operational intensive and you know even if you have a provisioning system you know there's challenges of you got to figure out coordinate VLANs you have to kind of capacity planning of this is kind of a bear you got to figure this out and then you have to implement rate shaping and things of that nature on it the transit provider whoever has to always participate in the control plane this is kind of important you know if you think in the context of say contrail for example it's producing a lot of host routes you know slash 32 so you know you don't necessarily want to participate in a control plane of a VPN that you don't really even care about really all you're trying to do is provide B to Y connectivity and you don't really care what the what the routing of A to Z is so the next option is layer layer 3 VPN option B option B leverages a BGP labeled unicast but it still requires that the that the the transit provider participate in the in the control plane essentially the labeled unicast provides me a label between the two BGP as is so that now that I can I can start to lay the groundwork of being able to end to end label traffic so that I can I can scale my all three VPNs without having to care about tunnel IDs or or and be able to keep my network segmented and not have to think about trying to collapse them because it's easier there's some pros to this there's no no back to back to three VPNs that that are required only leverage labeled unicast as a as a tunneling end-to-end tunneling mechanism unfortunately it still requires that the transit provider participate in the control plane this is you know again not it not a positive thing when that that particular intermediary hop has no need for for those routes and there's another aspect of this it's it removes the inability to use a route target address family if I'm I'll give you a quick synopsis in case people aren't familiar with it essentially how BGP works now is I send you all the routes and you decide which ones you're going to install route route target address family flips that around you you essentially have to announce that hey I own these routes and if you'd like to have them reply to me and I will and I will provide you just those routes so considering that in the case of a carrier I may have you know hundreds of thousands of routes from a customer because you know I just allow them to that's how their network runs but I don't necessarily want to see those on my on my transit router I only want to see the the routes that I actually want one in L3 VPN to terminate on so it allows me to terminate it on there and then only get the routes that that I want to have that are interesting to that in that particular box so the the last option is layer 3 VPN options see this is a pure labeled unicast the transit the transit network has no idea what the routes are from from a to z they they don't need to essentially it's using label labeled unicast to provide a a tunneling label from one domain to another so that you can jump from one domain to another with and leverage its impuless labeling mechanisms across the its network and its pure data plane it doesn't know about control plane at all essentially you set up BGP sessions between the two domains that you that are interesting that that want to be able to advertise routes between each other and they have pairing sessions and and be able and they're capable of advertising routes to each other and then the transit network is oblivious to it and doesn't know and it is simply just data plane so positives for this you have multiple options for for label distribution you can do BGP labeled unicast for this I believe there's also I can't remember the RFC number but there's a labeled ARP concept which it seems a kind of interesting to me it allows you to leverage so I put down here this is kind of important to me it provides me infinite horizontal and vertical scale so I can scale my my edges that have all the all the VPNs that are interesting for customers or for for us to do business and my transit network is is none the wiser I don't have to scale the control plane at the at the at the expense of of the of the customer routes it's a it's a pretty much a more mature technology man people has been down been around for a long time this isn't a you know a very you know good argument but but it isn't an argument you know VX lands cabin kind of a newer thing as I mentioned it's got it's got some scaling problems when it comes to to IDs as we as I discussed earlier there's some MTU implications to it so the MTU thing you're pretty much just down the lowest common denominator you know whatever is the lowest MTU you can provide in the path that's what it has to be that's it any questions thank you for the talk first of all I don't fully get why do is call MPLS has been infinitely scalable I mean the MPLS label size is also 24 bits do you refer to MPLS service labels being local to the how to say provider age certainly yes so yes so that that's the there's the rub right so the service label is only relevant to that domain so let's say I have OSPF area 100 right so that service label only only matters for that domain and then label Unicast provides me a label to get to the other domain and then that that domain takes care of those service labels so maybe explain a little farther what the what the ASPR does that goes from one domain to another it actually swaps the both the service and VPN label for so it's relevant to that domain and then at the at the other edge it does the same action so that each domain knows what what the labels are for for that domain domain yeah it's it's the outer portion of VXLan the VXLan is kind of a L2 tunneling technology it's an allies kind of to like L2TP where there's a in most SDN controllers I've seen they they leverage MPLS as a identifier for a host underneath so they're doing MPLS over VXLan or GRE the the issue with with the VXLan is that you have to have unique IDs otherwise you don't know who's who's it for right so to be able to where MPLS doesn't have that requirement you're you're not trying to to say I'm trying to get from host A to Z you're essentially saying I'm trying to get from B to Y and then the VPN label identifies who the the packet actually belongs to hi thank you for the presentation I mean it sounds like there are some benefits with MPLS that I would think the carriers would be interested in pursuing what do you what do you think may be the barriers if there are providers out there that that aren't going with option C I think maybe some of the barriers are trying to think of the best way to to describe it it's maybe it's operational maybe it's about a comfort level we've all had to solve this in one way or another having having multiple ASs because pretty much any large provider I've seen has multiple ASs it's just a fact of life either via intention or acquisition so they've all had to have to solve this in some manner to me this is a much more elegant and scalable solution that doesn't require operational overhead continually to maintain it or and or accepting situations where you're having to say oh well that just is capacity-wise we just allow this to happen so any other questions know the answer to this so when I look at contrail it's MPLS at its core right but I'm actually using IP as the transit layer and then putting MPLS inside of it and then we rip off the IP and then you know back to MPLS and dump it off at the edge because the endpoints all speak I internet and IP correct we also have an MPLS backbone and I was wondering maybe you've done any integration where like we kind of remove some of those middle headers like of the because it's entering from MPLS and MPLS and really all I need is to stack MPLS tags but now to the transport network in the middle still that additional overhead of you know what I put on at the beginning basically to correct contrail work is there any integration there that makes any sense that like collapse that so doing a end-to-end MPLS encapsulation does exactly that it plugs you straight into your your existing MPLS backbone and allows you to seamlessly move packets around via data plane it's from the transit routers point of view it's just swapping labels it doesn't know any different there's some other kind of caveats with with using like a GRE or VA VX LAN is well when I want to leave the overlay I have to have a gateway that terminates this that and then I have to let it let it go somewhere we've kind of jumped through some hoops to make that work without having to have an external box that that serves as that gateway so essentially when you want to leave the overlay I have to either have to hand off so I can take off the GRE or VX LAN hand it off to a separate device that can route IP packets or in an MPLS way what you can do is you can terminate the L3 VPN for for internet maybe sooner than when you get to your core and simply just run BGP between the external network and your and your and your internet router so you can actually save money this way you can collapse the the functions of them and it's actually for me at least it's much easier operationally and and it scales much much better than then the alternative yeah you think you nailed it like we have the nice MPLS then we exit and then we're back to IP and we immediately put it back into MPLS like it's got to be a better way right and yeah right in our case we we label switch from the edge all the way to our peering routers so like what you said with the GRE or VX LAN we're really just decapsulating and just so I can go switch it again. Awesome thanks. Any other questions? So if we have no more questions we have Edward from Juniper Networks he's going to do a quick demo on how to deploy Contra on a dev testing environment so so if you to work. Okay so so I'm working in a Contra business unit and I'm a developer on the config part of Contra and here I will just quickly talk to you about a contribution we had on from the open control community that permit to deploy easily control with on the DevStack environment I mean so first of all I will describe what's DevStack for the person who don't know so DevStack it's an open stack site project which permits which based on a collection of scripts that permit to deploy to deploy a quickly DevStack environment from the master branch to develop or test some features so it's not a production deployment it's just for developers or testers so that scripts that collection of scripts by default permits to deploy a not only one open stack environment or the other is also an optionally the possibility to deploy that in multi node case which is more and it's less supported actually but it worked so as I said it's based on the master branch so as I also said it's easy to deploy so for example in that three lines for if you want to customize your configuration but by default you can just clone the DevStack script scripts and then run that run it after that you have on the only one node all the basic open stack services running in the screen shell so you have the code clone on your on that host so you can easily try to modify the code and restart services you modified and tried your modification so that that the collection of scripts is extensible and that the contribution we had from an orange guy from Orange from Stelicom company which developed the plug-in for also inside of OpenStack deploying and compile the master branch of control of open control so in in that way when you run as I explained before the DevStack script at the end you obtain another screen with also control services running and you also have a clone of all the control code on your on your host so you can easily also modifying the open control code then restart the service you modify and try to try your features or your fixing directly so that script have some limitation for the month I mean the controller support so that only runs on open to 1404 and 1604 some service missing some control service I mean like the alarming system is not supported actually but any contribution will be welcome and I contribute to the support for 1604 and I had an issue with web UI controller services dependency issue with Node.js libraries that I did not get fixed so actually on 1604 you cannot run the web UI also aspect like I would like to improve here is perhaps improve the time to to start it because as control is right and also mostly in C++ there is a long time of compilation part so I'm trying to propose some fix to auto permit to parallelize the compilation and turn a lot of time like actually you need the one hour one hour and a half to compare all of control if you have a CPU if you have a host with around eight virtual CPUs you can pass to 30 minutes so it's a contribution I try to push and what else no that's all so I can just show you but I will I don't have them so I will do like this I have one node already running that DevStack just to put the mic on the table so just to log on it of yeah okay so yeah I'm just log on on a VM where I run that script so since I run just to show you before the in DevStack you have a config file where you can define you customize all the deployment so you can decide if you want to run a different OpenStack project and also is there where you activate plugin you want to run so for the case of of our of our of control so the config file is named local.conf and yeah I have some customization option but if you want to add the control plugin you just have to add that line which I can provide you after it's very small there but that the the repository where we can find the plugin for contract so just by ending that line and run again the stack.sh script you obtain a first screen where you have all the open stack services so for example if we can see Keystone IPIs, Glent IPI, Nova services IPIs with us and the Neutron IPI and as we run the control plugin we also have another screen so we call it control and here you found all the all the control services so I disabled some of them because I try to run only the service I'm interested in when I develop on it sorry but you also so just to say that here I don't have all control services but you found the view return, the IPI, the SVC monitor services, the schema transformer services, the control node services of course and collector and analytics. I disabled all the DNS services, QA services and web UI services so that's all that's what I just to share with you if you have any question or if you want I share my configuration, DevStack configuration file don't hesitate to contact me and to ping me you can find me on the slack open control slack