SDN: The Best Answer to Campus Network Challenges
By Wang Lei, Director of Enterprise Networking Product Mgmt Dept, Huawei Enterprise Business Group
SDN is generating a great deal of new activity in the data center field. Concepts, such as open APIs, unified O&M, and SDN-overlay have been introduced, and vendors are launching their own distinctive devices and solutions. In the WAN arena, Google and others are applying SDN to bandwidth optimization. Customer needs for SDN on campus networks are urgent because steep barriers for upgrading the functionality of traditional network solutions. At US$10B per year, the campus market is likely to become the most dynamic of all the SDN sectors.
Two Challenges Confronting Campus Networks
As more new services like telepresence, network storage, and Virtual Desktop Infrastructure (VDI) are added to traditional office networks, customers face two major quandaries in campus network services:
(1) How do customers avoid building separate physical networks for high reliability services with minimal jitter and delay? Is it possible to run all services on a single physical network and ensure service separation? How do customers build campus networks that offer compatibility with potential new services and avoid constant network upgrades?
(2) With the popularity of BYOD office capabilities on integrated wireless and wired networks, users must be identified by name, password, device, location, and time stamp. As the 802.11ac era unfolds, customers must be able to implement a unified control policy for wireless and wired forwarding at line speed.
SDN is widely accepted as a good way to resolve these dilemmas for campus network services. However, the ASIC-based SDN solution for campus networks has technical limits and is used only in small research networks rather than large-scale commercial deployments. Huawei Enterprise has years of experience in network deployment and has monitored the development trends of wireless and wired networks as well as virtual networks carrying multiple services.
Programmable Hybrid SDN Solution for Campus Networks
Hybrid SDN enables OpenFlow and traditional data and control planes to forward and control traffic from a single control application. Hybrid SDN has been confined to education and research environments, and is not ready for large-scale commercial use for the following reasons:
(1) By using either commercially available or internally developed ASIC chips, vendors have been able to implement OpenFlow flow tables that each contain thousands of flow table entries, yet millions of OpenFlow flow table entries are needed to achieve large-scale commercial deployment of reliable, separate virtual networks.
(2) ASIC-based hybrid SDN can forward traffic of known fixed types but has not been able to support value-added functions such as programming service identification and security encryption on OpenFlow pipelines. Additionally, ASIC-based hybrid SDN has not allowed identification of unknown traffic, forwarding of unknown traffic, or deployment of virtual networks.
Based on fifth-generation agile switches, Huawei next-generation hybrid SDN focuses on programmable campus networks that can be used for large-scale commercial deployment.
Programmable hybrid SDN has the following characteristics:
● Support for Hundreds or Thousands of Large-Sized Virtual Networks on One Campus Network
Using agile switches, Huawei next-generation hybrid SDN provides as many as 16 million OpenFlow flow table entries. This ensures tremendous traffic-forwarding capability and allows users to construct hundreds or thousands of large-sized virtual networks that are securely separated. The enormous number of flow table entries also means that a large number of virtual backup paths can be created on the virtual networks to load-balance traffic and ensure reliable paths.
● Programmable POF to Adapt to Any New Service Deployment, Protecting Customers' Long-Term Network Investments
Based on Huawei's proprietary agile switch and Protocol-Oblivious Forwarding (POF) technology, programmable hybrid SDN allows enterprises to define flexible policies on the control plane to identify new service packets and adapt new services to existing physical networks. This protects customers' long-term network investments.
● Programmable Fault Detection for Service Traffic, Providing Detection and Location of Faults across the Entire Network
The agile switches can insert fault detection identifications into traffic flows across the entire network. The switches can also detect and locate faults according to all traffic flows or a limited number of specified flows. The switches can detect service deterioration and monitor faults on the entire network.
Applications of the Programmable Hybrid SDN Solution for Campus Networks
● High-Quality Virtual Campus Networks for Telepresence and Other Video Services
Telepresence and video services are key enterprise services because they are used in business meetings and receive direct attention from the leadership. At present, enterprises generally rent carrier links for their WANs and sign Service Level Agreements (SLAs) for support. However, the convergence of multiple routes, node congestion, and limited device capacities can lead to sudden packet losses on campus networks, which impairs video quality. To ensure telepresence service quality and minimize packet loss, Huawei constructs separate physical networks to the egress nodes of the campus network, bypassing the office network.
With agile switches, Huawei hybrid SDN can select links on the campus network with high bandwidth and reliability to meet the needs of telepresence and video services as well as switch low-priority services to other paths. In this way, a highly reliable virtual network for video services is implemented. Huawei hybrid SDN provides hardware-level Network Quality Assurance (NQA) fault detection along any specified paths and can adjust service paths immediately according to detection results, improving the video experience.
● Campus Network Virtualization that Automatically Adapts to Organizational Restructuring of Departments
To enhance security, enterprises usually divide campus networks according to departments or services. However, each adjustment in service separation and network restructuring involves thousands of configuration and policy changes, which is difficult to maintain and prone to errors. Take Neusoft's R&D operation as an example: Neusoft expected that its campus network could be divided flexibly according to development projects. However, Neusoft's IT department was not able to plan or control the establishment or completion of the development projects. As a result, the Virtual Local Area Network (VLAN) and Access Control List (ACL) configurations changed constantly, and the maintenance workload was huge. Huawei programmable hybrid SDN provided large-scale virtual network capabilities based on the Policy Center controller and agile switches. On the hybrid SDN, a large number of virtual networks can be added, deleted, or modified in batches, improving Operations and Maintenance (O&M) efficiency and meeting customer needs for flexible service separation.
● iPCA for Fault Detection and Service Statistics Collection across the Entire Network
Today's IP-based enterprise campus networks carry multiple services, such as video, voice, data, and VPNs. With customers increasingly reliant on real-time services, fault detection for packet loss, delay, and jitter demands more sophisticated measures. Traditional detection methods, such as Y.1731, implement fault detection by inserting test packets into service traffic to simulate services, which affects existing services and can lead to errors in test results. As a result, traditional detection methods are ill-suited for campus networks.
The Huawei programmable hybrid SDN provides Packet Conservation Algorithm for Internet (iPCA), which detects real-time service performance, based on the programmed network state. iPCA directly identifies and measures real-time service packets and inserts detection identification into service flows. The measurement points are distributed among devices, while statistics are collected to carry out unified performance calculations. iPCA has the following advantages:
(1) Immediate measurement – iPCA does not simulate packets or affect existing services.
(2) Distributed architecture – with the decoupling of measurement and statistics collection.
(3) Periodic output of network indicators, such as packet loss and delay, using a network synchronization protocol.
Wireless and Wired Integration Policy Control
● Wireless-and-Wired Integrated High-Speed Networks
The "thin" Access Point (AP) solution is commonly used for wireless deployment on large- and medium-sized campus networks. With this solution, traffic from APs is aggregated through Control And Provisioning of Wireless Access Points (CAPWAP) tunnels to Access Controllers (ACs) in a centralized forwarding architecture. The result is that the ACs become a bottleneck on the wireless network. As WLAN technology progressed through 802.11a/b, 802.11n, and 802.11ac, wireless bandwidth grew from Mbits/s to Gbits/s. Over the same time frame, wireline bandwidth has increased to tens of Gbits/s. Overall, the AC bottleneck has become more severe, especially for services requiring identification.
Like Huawei's hybrid SDN solution, the company's wireless and wired integration policy control relies on fourth-generation programmable switches that integrate wireless AC forwarding, including CAPWAP tunnel termination, into traditional wireline forwarding by programming the forwarding plane. With this approach, the APs become extensions of the access interfaces on existing switches, and the AC traffic bottleneck is no longer an issue. Both wired and wireless services are integrated, processed, and forwarded along the same paths.
● Policy Center-Based Unified Policy Control, Automatic Deployment, and Simplified O&M
A prerequisite for large-scale mobile office deployments is the ability to implement sound security policies, such as visitor identification and access control, intelligent device type identification and access control, and access control between users. Security policy control is the key to enterprise information security on networks for several reasons.
Unfortunately, distributed policy control points lead to complex management configurations. Integrating wireless and wired in the same network further complicates the situation. Access and aggregation switches on wired networks are potential policy control points. O&M engineers must set up multiple configurations, including user group policies and authentication parameters. For wireless users, the ACs are policy control points, which also increase the configuration workload. Currently, many enterprises prefer to deploy unified policy control points on the devices at the aggregation or core layer to simplify management and configurations. This approach completely opens the underlayer network to users. Unauthorized users can communicate with authorized users, increasing the potential for information leaks and malicious attacks. Staff mobility and network access of intelligent devices further expand security concerns. In the mobile office era, policy control will extend to large numbers of access devices, in turn making the policy management and network configuration increasingly complex.
Policy control is based on multiple attributes. At present, most enterprise policy control is based on user identification and department. Mobility requires further diversification. For example, users have different access authorizations for desktop computers, tablets, and laptops in both wired and wireless networks. User access is controlled by time and identification. A similar variety of attributes should be considered when customers are planning their security policy controls.
Huawei wireless and wired integration uses a unified Policy Center to automatically detect multiple user attributes and deliver fine-grained control. User access is applied at agile switches. This feature allows the integration of scattered policy control points, such as between switches and ACs. Further, the integrated control points can be associated with access switches based on the wireless AP/AC centralized management mode. The policies are delivered to the access switches only, which substantially reduces the number of policy control points and O&M workload.
SDN Vision for Campus Networks
Huawei hybrid SDN for campus networks is based on fifth-generation agile switches to make network resource usage more flexible than ever. This solution overcomes the challenges brought by new services. The deployment of programmable hybrid SDN will integrate core enterprise services, bringing an end to the coexistence of multiple, traditional networks.