blob: 16b83a151c78e5d6097372b76fdebc5b2f1c0416 [file] [log] [blame]
pierventre517cd532021-10-12 22:58:00 +02001.. _architecture_design:
2
Charles Chancaebcf32021-09-20 22:17:52 -07003Architecture and Design
4=======================
Charles Chan10ad1442021-10-05 16:57:26 -07005
6Architecture
7------------
8
9Classic SDN
10^^^^^^^^^^^
11SD-Fabric operates as a hybrid L2/L3 fabric. As a pure (or classic) SDN solution, SD-Fabric does
12not use any of the traditional control protocols typically found in networking, a non-exhaustive
13list of which includes: STP, MSTP, RSTP, LACP, MLAG, PIM, IGMP, OSPF, IS-IS, Trill, RSVP, LDP
14and BGP. Instead, SD-Fabric uses an SDN Controller (ONOS) decoupled from the data plane
15hardware to directly program ASIC forwarding tables in a pipeline defined by a P4 program. In
16this design, a set of applications running on ONOS program all the fabric functionality and
17features, such as Ethernet switching, IP routing, mobile core user plane, multicast, DHCP Relay,
18and more.
19
20
21Topologies
22^^^^^^^^^^
23SD-Fabric supports a number of different topological variants. In its simplest instantiation, one
24could use a single leaf or a leaf-pair to connect servers, external routers, and other equipment
25like access nodes or physical appliances (PNFs). Such a deployment can also be scaled
26horizontally into a leaf-and-spine fabric (2-level folded Clos), by adding 2 or 4 spines and up to
2710 leaves in single or paired configurations. Further scale can be achieved by distributing the
28fabric itself across geographical regions, with spine switches in a primary central location,
29connected to other spines in multiple secondary (remote) locations using WDM links. Such 4-level
30topologies (leaf-spine-spine-leaf) can be used for backhaul in operator networks, where
31the secondary locations are deeper in the network and closer to the end-user. In these
32configurations, the spines in the secondary locations serve as aggregation devices that backhaul
33traffic from the access nodes to the primary location which typically has the facilities for compute
34and storage for NFV applications.
35See :ref:`Topology` for details.
36
37
38Redundancy
39^^^^^^^^^^
40SD-Fabric supports redundancy at every level. A leaf-spine fabric is redundant by design in the
41spine layer, with the use of ECMP hashing and multiple spines. In addition, SD-Fabric supports
42leaf pairs, where servers and external routers can be dual-homed to two ToRs in an active-active
43configuration. In the control plane, some SDN solutions use single instance controllers, which are
44single points of failure. Others use two controllers in active backup mode, which is redundant,
45but may lack scale as all the work is still being done by one instance at any time and scale can
46never exceed the capacity of one server. In contrast, SD-Fabric is based on ONOS, an SDN
47controller that offers N-way redundancy and scale. An ONOS cluster with 3 or 5 instances are all
48active nodes doing work simultaneously, and failure handling is fully automated and completely
49handled by the ONOS platform.
50
51.. image:: images/arch-redundancy.png
52 :width: 350px
53
54MPLS Segment Routing (SR)
55^^^^^^^^^^^^^^^^^^^^^^^^^
56While SR is not an externally supported feature, SD-Fabric architecture internally uses concepts
57like globally significant MPLS labels that are assigned to each leaf and spine switch. The leaf
58switches push an MPLS label designating the destination ToR (leaf) onto the IPv4 or IPv6 traffic,
59before hashing the flows to the spines. In turn, the spines forward the traffic solely on the basis
60of the MPLS labels. This design concept, popular in IP/MPLS WAN networks, has significant
61advantages. Since the spines only maintain label state, it leads to significantly less programming
62burden and better scale. For example, in one use case the leaf switches may each hold 100K+
63IPv4/v6 routes, while the spine switches need to be programmed with only 10s of labels! As a
64result, completely different ASICs can be used for the leaf and spine switches; the leaves can
65have bigger routing tables and deeper buffers while sacrificing switching capacity, while the
66spines can have smaller tables with high switching capacity.
67
68Beyond Traditional Fabrics
69--------------------------
70
71.. image:: images/arch-features.png
72 :width: 700px
73
74While SD-Fabric offers advancements that go well beyond traditional fabrics, it is first helpful to
75understand that SD-Fabric provides all the features found in network fabrics from traditional
76networking vendors in order to make SD-Fabric compatible with all existing infrastructure
77(servers, applications, etc.).
78
79At its core, SD-Fabric is a L3 fabric where both IPv4 and IPv6 packets are routed across server
80racks using multiple equal-cost paths via spine switches. L2 bridging and VLANs are also
81supported within each server rack, and compute nodes can be dual-homed to two Top-of-Rack
82(ToR) switches in an active-active configuration (M-LAG). SD-Fabric assumes that the fabric
83connects to the public Internet and the public cloud (or other networks) via traditional router(s).
84SD-Fabric supports a number of other router features like static routes, multicast, DHCP L3 Relay
85and the use of ACLs based on layer 2/3/4 options to drop traffic at ingress or redirect traffic via
86Policy Based Routing. But SDN control greatly simplifies the software running on each switch,
87and control is moved into SDN applications running in the edge cloud.
88
Carmelo Cascone43989982021-10-12 00:01:19 -070089While these traditional switching/routing features are not particularly novel, SD-Fabric's
Charles Chan10ad1442021-10-05 16:57:26 -070090fundamental embrace of programmable silicon offers advantages that go far beyond traditional
91fabrics.
92
93Programmable Data Planes & P4
94^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Carmelo Cascone43989982021-10-12 00:01:19 -070095SD-Fabric's data plane is fully programmable. In marked contrast to traditional fabrics, features
Charles Chan10ad1442021-10-05 16:57:26 -070096are not prescribed by switch vendors. This is made possible by P4, a high-level programming
97language used to define the switch packet processing pipeline, which can be compiled to run at
98line-rate on programmable ASICs like Intel Tofino (see https://opennetworking.org/p4/). P4
99allows operators to continuously evolve their network infrastructure by re-programming the
100existing switches, rolling out new features and services on a weekly basis. In contrast, traditional
101fabrics based on fixed-function ASICs are subject to extremely long hardware development
102cycles (4 years on average) and require expensive infrastructure upgrades to support new features.
103
104SD-Fabric takes advantage of P4 programmability by extending the traditional L2/L3 pipeline for
105switching and routing with specialized functions such as 4G/5G Mobile Core User Plane Function
106(UPF) and Inband Network Telemetry (INT).
107
1084G/5G Mobile Core User Plane Function (UPF)
109^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
110Switches in SD-Fabric can be programmed to perform UPF functions at line rate. The L2/L3
111packet processing pipeline running on Intel Tofino switches has been extended to include
112capabilities such as GTP-U tunnel termination, usage reporting, idle-mode buffering, QoS, slicing,
113and more. Similar to vRouter, a new ONOS app abstracts the whole leaf-spine fabric as one big
114UPF, providing integration with the mobile core control plane using a 3GPP-compliant
115implementation of the Packet Forwarding Control Protocol (PFCP).
116
117With integrated UPF processing, SD-Fabric can implement a 4G/5G local breakout for edge
118applications that is multi-terabit and low-latency, without taking away CPU processing power for
119containers or VMs. In contrast to UPF solutions based on full or partial smartNIC offload,
Carmelo Cascone43989982021-10-12 00:01:19 -0700120SD-Fabric's embedded UPF does not require additional hardware other than the same leaf and spine
Charles Chan10ad1442021-10-05 16:57:26 -0700121switches used to interconnect servers and base stations. At the same time, SD-Fabric can be
122integrated with both CPU-based or smartNIC-based UPFs to improve scale while supporting
123differentiated services on a hardware-based fast-path at line rate for mission critical 4G/5G
124applications (see https://opennetworking.org/sd-core/ for more details).
125
126Visibility with Inband Network Telemetry (INT)
127^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
128SD-Fabric comes with scalable support for INT, providing unprecedented visibility into how
129individual packets are processed by the fabric. To this end, the P4-defined switch pipeline has
130been extended with the ability to generate INT reports for a number of packet events and
131anomalies, for example:
132
133- For each flow (5-tuple), it produces periodic reports to monitor the path in terms of which
134 switches, ports, queues, and end-to-end latency is introduced by each network hop
135 (switch).
136- If a packet gets dropped, it generates a report carrying the switch ID and the drop reason
137 (e.g., routing table miss, TTL zero, queue congestion, and more).
138- During congestion, it produces reports to reconstruct a snapshot of the queue at a given
139 time, making it possible to identify exactly which flow is causing delay or drops to other flows.
140- For GTP-U tunnels, it produces reports about the inner flow, thus monitoring the
141 forwarding behavior and perceived QoS for individual UE flows.
142
Carmelo Cascone43989982021-10-12 00:01:19 -0700143SD-Fabric's INT implementation is compliant with the open source INT specification, and it has
144been validated to work with Intel's DeepInsight performance monitoring solution, which acts as
Charles Chan10ad1442021-10-05 16:57:26 -0700145the collector of INT reports generated by switches. Moreover, to avoid overloading the INT
Carmelo Cascone43989982021-10-12 00:01:19 -0700146collector and to minimize the overhead of INT reports in the fabric, SD-Fabric's data plane uses
Charles Chan10ad1442021-10-05 16:57:26 -0700147P4 to implement smart filters and triggers that drastically reduce the number of reports
148generated, for example, by filtering out duplicates and by triggering report generation only in
149case of meaningful anomalies (e.g., spikes in hop latency, path changes, drops, queue congestion,
150etc.). In contrast to other sampling-based approaches which often allow some anomalies to go
151undetected, SD-Fabric provides precise INT-based visibility that can scale to millions of flows.
152
153Flexible ASIC Resource Allocation
154^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Carmelo Cascone43989982021-10-12 00:01:19 -0700155The P4 program at the base of SD-Fabric's software stack defines match-action tables for
Charles Chan10ad1442021-10-05 16:57:26 -0700156common L2/L3 features such as bridging, IPv4/IPv6 routing, MPLS termination, and ACL, as well
157as specialized features like UPF, with tables that store GTP-U tunnel information and more. In
158contrast to fixed-function ASICs used in traditional fabrics, table sizes are not fixed. The use of
159programmable ASICs like Intel Tofino in SD-Fabric enables the P4 program to be adapted to
160specific deployment requirements. For example, for routing-heavy deployments, one could
161decide to increase the IPv4 routing table to take up to 90% of the total ASIC memory, with an
162arbitrary ratio of longest-prefix match (LPM) entries and exact match /32 entries, while reducing
163the size of other tables. Similarly, when using SD-Fabric for UPF, one could decide to recompile
164the P4 program with larger GTP-U tunnel tables, while reducing the IPv4 routing table size to
16510-100 entries (since most traffic is tunneled) or by entirely removing the IPv6 tables.
166
167Closed Loop Control
168^^^^^^^^^^^^^^^^^^^
169With complete transparency, visibility, and verifiability, SD-Fabric becomes capable of being
170optimized and secured through programmatic real-time closed loop control. By defining specific
171acceptable tolerances for specific settings, measuring for compliance, and automatically adapting
172to deviations, a closed loop network can be created that dynamically and automatically responds
173to environmental changes. We can apply closed loop control for a variety of use cases including
174resource optimization (traffic engineering), verification (forwarding behavior), security (DDoS
175mitigation), and others. In particular, in collaboration with the Pronto™ project, a microburst
176mitigation mechanism has been implemented in order to stop attackers from filling up switch
177queues in an attack attempting to disrupt mission critical traffic.
178
179SDN, White Boxes, and Open Source
180SD-Fabric is based on a purist implementation of SDN in both control and data planes. When
181coupled with open source, this approach enables faster development of features and greater
182flexibility for operators to deploy only what they need and customize/optimize the features the
183way they want. Furthermore, SDN facilitates the centralized configuration of all network
184functionality, and allows network monitoring and troubleshooting to be centralized as well. Both
185are significant benefits over traditional box-by-box networking and enable faster deployments,
186simplified operations, and streamlined troubleshooting.
187
188The use of white box (bare metal) switching hardware from ODMs significantly reduces CapEx
189costs when compared to products from OEM vendors. By some accounts, the cost savings can
190be as high as 60%. This is typically due to the OEM vendors amortizing the cost of developing
191embedded switch/router software into the price of their hardware.
192
193Finally, open source software allows network operators to develop their own applications and
194choose how they integrate with their backend systems. And open source is considered more
195secure, with ‘many eyes’ making it much harder for backdoors to be intentionally or
196unintentionally introduced into the network.
197
198Such unfettered ability to control timelines, features and costs compared to traditional network
199fabrics makes SD-Fabric very attractive for operators, enterprises, and government applications.
200
201Extensible APIs
202^^^^^^^^^^^^^^^
203People usually think of a network fabric as an opaque pipe where applications send packets into
204the network and hope they come out the other side. Little visibility is provided to determine
205where things have gone wrong when a packet doesn't make it to its destination. Network
206applications have no knowledge of how the packets are handled by the fabric.
207
208With the SD-Fabric API, network applications have full visibility and control over how their
209packets are processed. For example, a delay-sensitive application has the option to be informed
210of the network latency and instruct the fabric to redirect its packet when there is congestion on
211the current forwarding path. Similarly, the API offers a way to associate network traffic with a
212network slice, providing QoS guarantees and traffic isolation from other slices. The API also plays
213a critical role in closed loop control by offering a programmatic way to dynamically change the
214packet forwarding behavior.
215
Carmelo Cascone43989982021-10-12 00:01:19 -0700216At a high level, SD-Fabric's APIs fall into four major categories: configuration, information,
Charles Chan10ad1442021-10-05 16:57:26 -0700217control, and OAM.
218
219- Configuration: APIs let users set up SD-Fabric features such as VLAN information for
220 bridging and subnet information for routing.
221- Information: APIs allow users to obtain operation status, metrics, and network events
222 of SD-Fabric, such as link congestion, counters, and port status.
223- Control: APIs enable users to dynamically change the forwarding behavior of the
224 fabric, such as drop or redirect the traffic, setting QoS classification, and applying
225 network slicing policies.
226- OAM: APIs expose operational and management features, such as software upgrade
227 and troubleshooting, allowing SD-Fabric to be integrated with existing orchestration
228 systems and workflows.
229
230Edge-Cloud Ready
231----------------
232SD-Fabric adopts cloud native technologies and methodologies that are well developed and
233widely used in the computing world. Cloud native technologies make the deployment and
234operation of SD-Fabric similar to other software deployed in a cloud environment.
235
236Kubernetes Integration
237^^^^^^^^^^^^^^^^^^^^^^
238Both control plane software (ONOS™ and apps) and, importantly, data plane software (Stratum™),
239are containerized and deployed as Kubernetes services in SD-Fabric. In other words, not only the
240servers but also the switching hardware identify as Kubernetes ‘nodes’ and the same processes
241can be used to manage the lifecycle of both control and data plane containers. For example, Helm
242charts can be used for installing and configuring images for both, while Kubernetes monitors the
243health of all containers and restarts failed instances on servers and switches alike.
244
245.. image:: images/arch-k8s.png
246 :width: 500px
247
248Configuration, Logging, and Troubleshooting
249^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
250SD-Fabric reads all configurations from a single repository and automatically applies appropriate
251config to the relevant components. In contrast to traditional embedded networking, there is no
252need for network operators to go through the error-prone process of configuring individual leaf
253and spine switches. Similarly, logs of each component in SD-Fabric are streamed to an EFK stack
254(ElasticSearch, Fluentbit, Kibana) for log preservation, filtering and analysis. SD-Fabric offers a
255single-pane-of-glass for logging and troubleshooting network state, which can further be
Carmelo Cascone43989982021-10-12 00:01:19 -0700256integrated with operator's backend systems
Charles Chan10ad1442021-10-05 16:57:26 -0700257
258.. image:: images/arch-logging.png
259 :width: 1000px
260
261
262Monitoring and Alerts
263^^^^^^^^^^^^^^^^^^^^^
264SD-Fabric continuously monitors system metrics such as bandwidth utilization and connectivity
265health. These metrics are streamed to Prometheus and Grafana for data aggregation and
266visualization. Additionally, alerts are triggered when metrics meet predefined conditions. This
267allows the operators to react to certain network events such as bandwidth saturation even before
268the issue starts to disrupt user traffic.
269
270.. image:: images/arch-monitoring.png
271 :width: 1000px
272
273Deployment Automation
274^^^^^^^^^^^^^^^^^^^^^
275SD-Fabric utilizes a CI/CD model to manage the lifecycle of the software, allowing developers to
276make rapid iterations when introducing a new feature. New container images are generated
277automatically when new versions are released. Once the hardware is in place, a complete
278deployment of the entire SD-Fabric stack can be pushed from the public cloud with a single click
279fabric-wide in less than two minutes.
280
281.. image:: images/arch-deployment.png
282 :width: 900px
283
284Aether™-Ready
285^^^^^^^^^^^^^
286SD-Fabric fits into a variety of edge use cases. Aether is ONF's private 5G/LTE enterprise edge
287cloud platform, currently running in a dozen sites across multiple geographies as of early 2021.
288
289Aether consists of several edge clouds deployed at enterprise sites controlled and managed by a
290central cloud. Each Aether Edge hosts third-party or in-house edge apps that benefit from low
291latency and high bandwidth connectivity to the local devices and systems at the enterprise edge.
292Each edge also hosts O-RAN compliant private-RAN control, IoT, and AI/ML platforms, and
293terminates mobile user plane traffic by providing local breakout (UPF) at the edge sites. In
294contrast, the Aether management platform centrally runs the shared mobile-core control plane
295that supports all edges from the public cloud. Additionally, from a public cloud a management
296portal for the operator and for each enterprise is provided, and Runtime Operation Control (ROC)
297controls and configures the entire Aether solution in a centralized manner.
298
299SD-Fabric has been fully integrated into the Aether Edge as its underlying network infrastructure,
300interconnecting all hardware equipment in each edge site such as servers and disaggregated RAN
301components with bridging, routing, and advanced processing like local breakout. It is worth
302noting that SD-Fabric can be configured and orchestrated via its configuration APIs by cloud
303solutions, and therefore can be easily integrated with Aether or third party cloud offerings from
304hyperscalers. In Aether, SD-Fabric configurations are centralized, modeled, and generated by
305ROC to ensure the fabric configurations are consistent with other Aether components.
306
307In addition to connectivity, SD-Fabric supports a number of advanced services such as
308hierarchical QoS, network slicing, and UPF idle-mode buffering. And given its native support for
309programmability, we expect many more innovative services to take advantage of SD-Fabric over
310time.
311
312.. image:: images/arch-aether-ready.png
313 :width: 800px
314
315System Components
316-----------------
317
318.. image:: images/arch-software-stack.png
319 :width: 400px
320
321Open Network Operating System (ONOS)
322^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Carmelo Cascone43989982021-10-12 00:01:19 -0700323SD-Fabric uses ONF's Open Network Operating System (ONOS) as the SDN controller. ONOS is
Charles Chan10ad1442021-10-05 16:57:26 -0700324designed as a distributed system, composed of multiple instances operating in a cluster, with all
325instances actively operating on the network while being functionally identical. This unique
326capability of ONOS simultaneously affords high availability and horizontal scaling of the control
327plane. ONOS interacts with the network devices by means of pluggable southbound interfaces.
328In particular, SD-Fabric leverages P4Runtime™ for programming and gNMI for configuring
329certain features (such as port speed) in the fabric switches. Like other SDN controllers, ONOS
330provides several core services like topology discovery and end point discovery (hosts, routers,
331etc. attached to the fabric). Unlike any other open source SDN controller, ONOS delivers these
332core services in a distributed way over the entire cluster, such that applications running in any
333instance of the controller have the same view and information.
334
335ONOS Applications
336^^^^^^^^^^^^^^^^^
337SD-Fabric uses a collection of applications that run on ONOS to provide the fabric features and
338services. The main application responsible for fabric operation handles connectivity features
339according to SD-Fabric architecture, while other apps like DHCP relay, AAA, UPF control, and
340multicast handle more specialized features. Importantly, SD-Fabric uses the ONOS Flow Objective
341API, which allows applications to program switching devices in a pipeline-agnostic
342way. By using Flow-Objectives, applications can be written without worrying about low-level
343pipeline details of various switching chips. The API is implemented by specific device drivers
Carmelo Cascone43989982021-10-12 00:01:19 -0700344that are aware of the pipelines they serve and can thus convert the application's API calls to
Charles Chan10ad1442021-10-05 16:57:26 -0700345device-specific rules. In this way, the application can be written once, and adapted to pipelines
346from different ASIC vendors.
347
348Stratum
349^^^^^^^
350SD-Fabric integrates switch software from the ONF Stratum project. Stratum is an open source
351silicon-independent switch operating system. Stratum implements the latest SDN-centric
352northbound interfaces, including P4, P4Runtime, gNMI/OpenConfig, and gNOI, thereby enabling
353interchangeability of forwarding devices and programmability of forwarding behaviors. On the
354southbound interface, Stratum implements silicon-dependent adapters supporting network
355ASICs such as Intel Tofino, Broadcom™ XGS® line, and others.
356
357Leaf and Spine Switch Hardware
358^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
359In a typical configuration, the leaf and spine hardware used in SD-Fabric are typically Open
360Compute Project (OCP)™ certified switches from a selection of different ODM vendors. The port
361configurations and ASICs used in these switches are dependent on operator needs. For example,
362if the need is only for traditional fabric features, a number of options are possible – e.g., Broadcom
363StrataXGS ASICs in 48x1G/10G, 32x40G/100G configurations. For advanced needs that take
364advantage of P4 and programmable ASICs, Intel Tofino or Broadcom Trident 4 are more
365appropriate choices.
366
367ONL and ONIE
368^^^^^^^^^^^^
369The SD-Fabric switch software stack includes Open Network Linux (ONL) and Open Network
370Install Environment (ONIE) from OCP. The switches are shipped with ONIE, a boot loader that
371enables the installation of the target OS as part of the provisioning process. ONL, a Linux
372distribution for bare metal switches, is used as the base operating system. It ships with a number
373of additional drivers for bare metal switch hardware elements (e.g., LEDs, SFPs) that are typically
374unavailable in normal Linux distributions for bare metal servers (e.g., Ubuntu).
375
376Docker/Kubernetes, Elasticsearch/Fluentbit/Kibana, Prometheus/Grafana
377^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
378While ONOS/Stratum instances can be deployed natively on bare metal servers/switches, there
379are advantages in deploying ONOS/Stratum instances as containers and using a container
380management system like Kubernetes (K8s). In particular, K8s can monitor and automatically
381reboot lost controller instances (container pods), which then rejoin the operating cluster
382seamlessly. SD-Fabric also utilizes widely adopted cloud native technologies such as
383Elastic/Fluentbit/Kibana for log preservation, filtering and analysis, and Prometheus/Grafana for
384metric monitoring and alert.