 Okay, now it's a 150 so I'd like to start the presentation So my name is Ichiro Fukuda from Entity Innovation Institute Today, I'm gonna talk during a career class NFE use cases So we have a co-presentator Prateek from Juniper Networks Some of the NFE initiatives at Juniper. I'm the contrail team Okay, so We'll go, yeah, so since we plan to do the live demo here so We just wanted to move quickly to introduce the context and Directly dive into the demo. So let's keep this line so today I would like to talk about and enterprise when challenges at in the beginning so And then we will show share the entity groups ESI solution which incorporates SDN and NFP technology to bring up to the carrier SDN NFP services to the enterprise and Then demo and move on to the Q&A So first one so this is a context of the enterprise when overview So today as an entity innovation Institute, we are running the customer experience center to start Which is focused on like a R&D arm for the entity group to focus on deliver the global services to our customers and Also, we are running the customer experience center to engage with the customer and grab the feedback and Learn the thoughts for their challenges So this is a slide that what we captured during our customer engagement So today enterprise customers challenges set of five things. So one is the for the networking They struggle with overwhelming workload. They have too many devices to manage especially like a retail or like a large enterprise So they do have like a lots of CP devices a lot of middle box to manage to make the networking working And also they have a problem with a slow network provisioning So most of the enterprise network. So still they do have like manual provisioning processes and Having like a third one operational insecurity so since like nowadays like a security device a network threat is like Increasing so that like it's very difficult for them to manage the security and keep it keep and keep it insecure and fourth one they Have a lack of visibility Basically like at once they come to our carrier services. They have no clue on what's happening in the next network so it's they have a difficulties to troubleshoot on the visibility to and Understand what's happening in their enterprise system and fifth one also the compliance overhead They do have their their own Corporate compliances So it's very difficult to manage especially like large multinational company It's very difficult to manage their policy to make sure that It's properly configured So this is our observation from our entity group engagement and Second one. So this I pulled up the open networking user group on a SD when working group It captures the same concept like what enterprise early adapter speakers are talking about the problem spaces of When for their enterprise So there's a really high expectation for soft to have a software defined when for from the owner as well So that so they say For instance, there's look at the five. So they're claiming Enterprise is claiming high cost and low control of the wider area network So that means like a to us like a service provider We need to give the low cost and high control plan services and also reduce the time for the provisioning cycles and have more efficient security or enforcement So as an entity like a service provider, what do we do? So we are seeing like a lot of like a share of a custom wallet is shifting from carrier circuit like a physical pipes and Going and selling a network hardware as a network integration is going moving shifting to the more value-added services Or managed services So that we need to we'd like to capture this opportunity to bring the end-to-end solution By providing a converged IT Infrastructure as a services model. So here's our solution Our solution calls elastic service infrastructure ESI So ESI is in high level. We provide the service infrastructure of the SD and NFP enabled programmable enterprise networking So the concept is to distribute the NFP I over the multiple location if you look at the diagram So our orchestrator controller orchestrates. There's a three levels of at altitude So cloud and fogging ground So most of the BCP use cases kind of like everyone talks about having it virtualized function in the carrier services, but in our case, we like to distribute to the customer premises as one Distributed small nano cloud environment with the CP devices And also we are focusing to open up the VNF marketplace to have like a VNF partners to put their own VNF services to the marketplace and we provide the platform services to Provide those multiple Various VNF services from the marketplace so that customer can choose their own preferred Brands or the vendors and they can freely place their net Appliances to with their appropriate topology what they have So the status of the ESI so continue in the entity group we are in the internal product evaluation phase and Hope we'd like to move a roll out to having customer customer to Test our beta services in this end of this year So solution overview so capturing those significant Interests from our enterprise customer So the solution incorporates the customer needs flexible service chaining to have their preferred devices function to be placed on on demand and Also need a more like a centralized management like a pushing their Unified policy security control from the orchestrator or centralized controller and We need third one. We need the carry grade SDM platform to have those Virtual network to collect all the enterprise branches Including a cloud data center or their private data center. So this is a solution details a bit Small small words, but I'll I'd like to capture in the actual demo So basically what we'd like to do is like we have today We the we have a CP here So I'm gonna provide a live demo to add this room as a one of the Enterprise branch office. So yeah, I'd like to capture this one solution details in later So go to the live demo our use cases Enterprise like a one. Yes, I captures like a lots of use cases. So but this presentation We'd like to focus on having branch networking. How are we gonna roll out the branch more quickly? So for instance today's in the adding the branch to the in the today's network We usually take six to eight weeks to bring up the net bring up the branches and Finish the all the don't know the VPN configuration To the rest of the sites. So it's very time-consuming But in this demo, so we'd like to have like more on-demand onboarding cell phone boarding to the Enterprise VPN So this is a demo setup So now I have CP devices we call elastic service edge. We call this is ESE So I have my laptop connecting to the portal services self service portal and this device Has orange cable as a management plane to configure like a just do single Simple onboarding Process and I have a white cable as a LAN interface, which is connected to my laptop and Blue one is the one interface is connected to the uplink Which this conference venue provides? So this is the ESI portal that customers like a customer admin network admin will play with So this is the overview topology that has so let's say these green box are the CP devices Or you can understand this is like a VPN site And you see the gray box like a gray box at the left top That's the bank on Vancouver site that what we are trying to onboard today The inner circle these are the VPN. So since this is a SDN and if we are using SDN and NFP So it's kind of like once you get into this LAN port It's everything like you can understand as a one fabric big fabric so customer can create their own network slices like a cooperate for the general corporate Access and like a business or innovation like having their own divisions close network Which is not connected to the internet and so on So we do have kind of like a simplified data model for a lack of devices Sorry, so session time So this one so this is a CP device management and we do have kind of virtual network here So now let's go to the Device onboarding So customer can easily onboard cell phone board to the VPN by creating a token and associate a device to the Local here. So now I'm gonna copy the token here and Switch to the device. So this is the web UI is the onboard Embedded web UI, which is running on this CP device I will associate a token So once I associate a token to here So this device will phone home cluster to get registered to the VPN So back inside so it's currently now It's device is authenticated by token and it start like a controller VPN controller running in the cloud side start configuring Details tunnel between the each site that need tunnel so so in our case so as So for that we are using the underlay overlay VPN like SSL VPN technology as an underlay of the virtual network So we have and then we put the network virtualization layer to have like more On demand like a flexible configure configurable network so Now it looks like We should have a tunnel up so this is kind of like a We have a connection established between the Concentrator, which is like a controller cluster is running and we do have like two peers with Another VPN sites So next so This is kind of like a providing overlay VPN very similar to the MVP and our other Solution who creates a virtual network on the fly So next one so we can have a customer can create come to the server ESI service catalog and Choose their preferred devices to push from the central place So this is the ESI service catalog. So this is based on like a template So these are our current partners who are who provides us the VNF's And working together. So in this demo, I'd like to Withstrap the Fortinet firewall so we have a simple policy Here when we onboard the Fortinet to this Edge devices so now I put some web filter policy for like a not to access entity i3 website and So customer can simply deploy So now what happened at this moment is so this Yeah, so this device start Connecting to the home cluster and check that the VNF to be downloaded to this device and The orchestrator will configure the spin up the VM and Configure configure service instance from central point that like that You don't have to manually configure the network devices At the local side So this is the entry of the Fortinet firewall. It's going to take some time to bring all those function up so I Like to wait a couple minutes to spin up those VM to make sure that's functional So while having like waiting for the VM, so I just just wanted to derail Do some like a technology? aspects So for this function, so you're seeing the controller orchestrator Portal so it's running the API services and giving the abstracted view of the data model As a control cluster, we are using at the data center side. We are using the open stack and As a net SDM layer. We are using the open control And and that's a global and local context We have our own abstraction layer and we put the heat layer Between the product API's so we can separate the service and the product or southbound API's cleanly so this is kind of like a More rapid service development framework that we do we have so basically in the most existing existing like a network SDN development So we know that there's lots of benefits from the net conf But in our case our framework has kind of like a define based on the Jason and Like a write the service model abstraction model in the YAML file online so that like it's extremely easy to define the own service API or service abstraction layer and We we do have we and then we manage the templates here For the heat template for instance So that like it's kind of we assume like a more zero zero coding service enablement by using this framework Why we do this Like we want to separate the abstraction layer level and the service and the product as The service provider we do have like a hundreds of OSS PSS behind right so so We usually like ask for the product vendors to modify their API's or add the attribute to the specific use cases But it doesn't work. It takes some time and also product vendor want to hesitate to like Invade their own Product a model or an API model. So it's very important to have like a clear separation between the services and the standard or product API's So that like we can like a have like a more rapid customization for the API Whatever our BU needs or a customer needs So this is kind of like an idea of The what how we put the orchestration layer on top so while talking so now we see the Portion of firewall up and running so you see something like a Output from the heat stack that Bms are correctly deployed on the edge side So now I'd like to check the data plane whether it's working So I will turn off the My uplink that is connected to the Portory internet to make sure I you to make sure that I use this LAN port So check it on connectivity. So first I'd like to go to the internet website We are using a VPN so this shows like this packet go through Come to this port one and it will go use the tonal SSL tunnel to the Remote site that is running this internet web server running So next one just so may I'd like to make sure that I can break out to the internet from local here so next one is the To access the Google so now you can see the Googling it's working. So importance of this local internet breakout So enterprise is seeing like a sense Current enterprise mostly they aggregate or they have their own data center or internet breakout point at the hub site But while you're seeing like a lots of like an adoption to assess services like office 365 Salesforce, so they have like a latency issues comes in But the customer so when they distribute the firewall or the policies enforcement endpoint they have to deal with those In efficiency of the security So yes, I will take care of these like a having like a local Breakout point to the at the local site and also gave them more centralized management policy distribution from the controller side and Finally, I'd like to go to check I Cannot go to my company website. So you see the 40 guard is a little filter is functioning at this side to not to go to allow the traffic to the Yeah, which which is filtered by this spiral So this is a demo what we have Then go back to the presentation to recap the Present like a demo. So we are running the ESI controller at the global side So we have a service at the abstraction layer and that's the base on the goal based API server as you see that like a having service rapid service development framework running So we have there are the abstraction model at the global side And we do have kind of like a mapping layer like a worker mapping layer to Use the heat as orchestration engine under the heat there's a microservice control like a VPN controller to manage the SSL VPN and The sdn controller as control as a sdn controller and use the open stack to spin at the VM in the data center side So the important point is like we use open stack Nova in the data center side, but we don't use the Nova compute at the edge side. It's kind of like a we we simplify those Service instance spin up and like a having to have the KVM base VM and the Docker image So we can spin up those service instance from the switch agent directly to have like a more lean Computer environment at the remote side. This will help our more Simplify and not to have those complexity Data center comprehensive complexity bring into the enterprise edges. So this is our idea So, yeah, so this is the high-level architecture Yeah, that we have and I'd like to switch to the open control part to protect sure. Thanks. It's your son So from the control perspective the network architecture is such that we have created a neutron plug-in Which exposes all the neutron API's we also have an extension Set of API's which enables things like service chaining and so on and that's how the orchestrator Whether in this case the entity i3 or other open stack Orchestrators can actually talk to the entire sdn environment. There is a there is a controller Which is a logically centralized but physically distributed set of nodes and they talk bgp East-west that enables scale South on the data plane side. There is a weed outer component and one of the weed outer components is actually running on this box So the there's a weed outer component, which is a which is a data plane component kernel loadable module lightweight kernel loadable module and essentially that is the one that takes directions from the controller and makes things happen and the things that it can make happen are things like you can create two virtual networks and Essentially as you can see there are blue and green virtual networks. You can create them and you can assign The whether bare metal servers or containers or virtual machines to each of them and you can have Policies between them and those policies could be things where you can spin up a firewall one of the ones Firewall we spin spun up here and you can say that any traffic from one virtual network to another goes through that particular firewall So this enables you to do a central centralized policy definition and distributed policy enforcement There again as you can see the the The weed outer can run on Linux boxes Which could be either a CP device or some x86 servers running on in within data centers or pops or what have you and The controller also talks to the top of rack switches Using again standard protocols. So as you can see it uses OBS DB, which is which is a standard protocol And that's how it makes bare metal part of a virtual network So the the thing that I want to actually highlight here is that you know, it's a it's a multi-vendor kind of an approach It's a it's a set of loosely coupled components and we can enable that because we use standard protocols as I just mentioned It whether you're talking about you know different Linux OSes or hypervisors containers whether you're talking about x86 servers or you know CP devices Whether you're talking about gateway, you need a gateway to terminate all the tunnels and go out to the internet Or you're talking about top of rack switches. We have enabled of course Being part of juniper. We have Interoperated with juniper qfx 5100 but also, you know cumulus and other white box switches and Also the orchestrator itself So all in all it provides you a set of loosely coupled components But together it gives you a to integrated environment And that makes it the solution multi-vendor. I think something that service providers like entity and some of you will appreciate quite a bit In terms of the ESI solution specifically we did it in a very co-creative Collaborative manner as it was on was referring to earlier where you know, there were engagements on a weekly basis There were engagements almost on a daily basis sometimes from both sides Engineering side as well as product management as well as architect side And it was more of a partner kind of a relationship than than a customer relationship So and what that helped us do is it helped us, you know drive some of the product requirements And some of the things like physical plus virtual interconnect the use case that I was talking about where you can have bare metal Services part of virtual networks that was something that was actually driven by a requirement from from entity There were other things like container containers That that was again another thing that that was driven by by this particular engagement in terms of the again the central there is a central portal which Where you are doing the provisioning of those CP devices? We had done a Of course, we had to enable that so they're there they're also we had a good amount of Collaboration going on in product requirements being driven from from this engagement and the features that were used in this particular Of course the control features existing control features that were used in this particular Solution where service chaining where you can have probably multiple services some of them running on the CP device Some of them running at the data center chain together Then the the whole concept of you know You define a policy centrally and have it enforced in a very distributed manner and one of the distribution points is the CP device So all that is something that is that is key in contrail that that was that was enabled by the solution Of course the weed outer itself running on the CP device is Is is weed outer itself the functionalities of the weed outer was also something that was enabled and we had a carrier-grade Platform because we cater to telcos. We have to have a carrier-grade platform, which is performant whether you're talking about latency or throughput or packets per second it is performant it is scalable because it uses scalable protocols like BGP Both at the control plane level and at the data plane level. It is highly available We have made all the components as as highly available. It is the security is one of the important things We just saw one one example of a centralized security and distributed enforcement Interoperability is of course very key because as you can see on top of contrail We are running a 14 at firewall. So that actually tells you the interoperability nature of the solution and analytics is very important because as you saw as a Lot of information from the CP device from the data center is being passed back to the centralized Admin and that there you can see what is actually going on in your branch branch offices and data centers and so on So that is that is what we have here is a press release that we did and here is a URL Where you can go and take a look at the solution more detail? The This is this is probably an example where we saw a customer having a particular problem and that problem is probably prevalent in in the telco market We saw a particular problem and we solved it in a very co-creative and collaborative manner Yeah, so we'd like to conclude Presentation but so we as a service provider. We are very focused on having open source it's very important to have us to have code inside and let us contribute to integrate to Develop our service provider service from the service provider So as you see is so there's not not only the open stack, but also control and we have our all SSL components and Devices so it needs a lot of work to integrate to bring the Deliver the product or services at the speed So it's very important and need that as predict mentioned We need a very loosely coupled model for the module architecture to have the Product development. So we'd like to have to Hear back your service provider or if you have all the BNF We are very open to collaborate and discuss with how we can bring the NFB into a real business I'd like to open up the Q&A session. Thank you very much I have a two-part question One I guess then any kind of scale testing like how many VCPs you could potentially host in this in the solution The second part is you mentioned you're not in you're intentionally not making the CP device as a NOVA note Like no a compute. Can you elaborate why you? Bend that route as opposed to making it as a no or no show up in a controller Okay, so first question the number of the endpoint our CP devices It's since that and that is why we chose the control to have like a more proven scale by bringing by BGP So basically the virtual network Will is Managed and connected by the BGP running in the control controller side so that it's Natively scales for then endpoint perspective. So the CP device point of view. So of course like I don't know so whether you already experienced like a having a NOVA I Running like in the NFB use cases especially the CP device like a remote device so if you have like a NOVA compute you have to have like a Secure connection to the like a rabbit MQ or like RPC server running in the data center side and So let's say contra has its own controller and nobody uses their own RPC channel. It doesn't make sense to Have multiple similar mechanism for the remote side management so it need to be more focused and simplified to Slim down the stacks that we can to the size that we can manage in this small on a remote site that like a we by design we Embedded all those service instance creation channel into the XMPP Then like we have like a more simpler stacks running in this device Is that answer to you the other thing? I just want to quickly add is that there is no scheduling that is being done you know what device you are actually spinning up the VM on so That is one reason why we did not need to use NOVA and of course the V router is sitting on the CP device So it sends back a lot of information centrally So you have a view of your of your branch Can you get back to the architecture slide that you had? Yeah, this one So what is exactly the roles and responsibilities of open stack and the open contra here? Okay, so yeah I was just gonna say that open stack does VM or orchestration open contra takes care of the networking part We have a neutron module as I said which exposes the standard neutron APIs So when open contra actually calls into a neutron API It comes to the neutron plug-in and then the whole environment takes over so that I mean there's a clear distinction and between the networking part versus the compute orchestration and storage and other APIs So are you just using open stack? Just to bring up the VMs here. They're using the templates So it depends so it's on so it will take care taking care by the worker So if the user choose to run at the pop side So pop so that pop means it will Nova will schedule to deliver the VM inside the pop for the BNF creation so then when the when the customer choose the like a Yes, the device name or like a device group So it will schedule to that like drop drop drop the BNF image directly to like it's explicitly So so that like a we use the heat layer to sometime in the DC we use Nova and Like a ESC management like a remote side. We directly call control API to spin up the service instance by using control API And and then Contra Linton uses Nova to spin up VMs And how do you download the bootstrapping configuration? So let's say, you know, you have a specific service configured. Where do you generate this config and how do you download it? For the BNF configuration or the general like a CP configuration Both so basically general like a device configuration. So this pulls like a the controller side running in the cluster home cluster and particularly check whether it's update or the And then I will automatically fetch the configuration in appropriate manner or that even the OS can be checked and updated automatically here So the BNF configuration, it's like a more top-down approach So that like in our case, so we assume like some BNF manager from a third-party vendor Running from a third-party or we put some simple abstracted APIs like what you see today So as a platform, we are very open to have like not to hide those vendor differentiators features Customer has their own reason to select the vendors and the devices for their specific use cases So our platform it's open to have kind of like a customer can manage their own BNF directly or put some orchestrator from the product vendor side, which comes with the BNFs or we can add like a more simple abstraction layer by service provider So we have three levels of the engagement of the how we manage the BNFs Thank you Jason, yeah Jason schema Contra is XML. Yes, but so it's like a product and our like our orchestrator model is the different so we define our service model and write definition of how we map the service abstracted model to the product So if you see like open stack open culture lots of salesman products So you see lots of APIs, but we don't want to expose it to our customer so that we abstracted and simplified a data model and Then the orchestration layer will do the very busy things for orchestrating underlying APIs any questions the question is to have like a What is a model of these CP devices and what the target number or saturation number of the BNFs So from the ESI architecture point of view So our software can be portable on any devices as a CPU or like this kind of a small desktop form factor appliances or Having like x86 server with a bunch of host power. So it's solution-wise. It's portable But in this model, so it's focused on like a more small offices So let's say they for example retail Customers so they don't have their own dedicated IT staff on site. So they need them more like a Simplified small architecture. They don't have like a use case to spin up bunch of BNFs So our assumption is like a spin-off couple of VMs So since we are have selected atom-based processor, which is for poor and like a having software Forwarding process running site. So this is sufficient for a small enterprise office Yeah From a from a contouring architecture perspective This is just another compute node and you can have multiple of those compute nodes where you spin up spin up VMs on any one of them Okay, this is now the time. So I need any other questions Okay, so it's perfect. It's 230. Thank you very much for that