Sunday, May 17, 2020

Best way to build overlay SDN-capable network on FOSS 2nd try

Hi Folks, please don't read explanatory text below. It may break you mental health. I'm looking here for experienced reply from someone who has ALREADY tried OpenContrail/OpenDayLight/POX/Neutron/VPP/OvS/FRR/ExaBGP with DPDK and can point me to FOSS forks (alternatives) that's I can look into (of course I can spend months in trial and error and find it by myself). I mentioned branch-HQ just to show distributed nature of our network. Sorry for any rude, I'm not a native so it's just translation issues I believe. I appreciate you time spent and efforts in help. Currently I need only tech advises here. Please no make any suggestion how we should build our processes.

DON'T READ BELOW: I'm representing a network solution architect team in huge country-wide organization with numerous (~1000) branch offices and reseller points. Yes, we going to migrate an old setup with newer approaches and tech in mind. Currently we have a mixture of IPsec/OpenVPN/ugly RA and site-to-site connections. We have redundant RASes distributed over few locations. The whole idea is to provide access to some Central services (hosted in AWS) and have access from HQ to particular IP-ready equipment in remote location. That's the baseline we have now.

The way this network operates now is less efficient you might think . There is numerous outages, fat finger mistakes, HW failures, long restoration time, and much manual config required on remote side (I meant both remote hands and central initiated provisioning).

We going to build new implementation which involves few new concepts (SDN), techniques (VXLAN) and technologies (OvS/WireGuard/EVPN) . In general we going to create an overlay on top of existing underlay backbone, and soon decommission old gateway hardware. We'll start with shipping appliances which will host kvm/docker images with preinstalled software which going to build up connection to out HQ. Then we will use this appliance as reverse-proxy for accessing remote resources and finally will switch on-premise to use appliance as main GW. Most remote locations has internet-routable ipv4 address, so appliance will serve also as NAT GW (needed bw is very small).

Here is summary of connectivity requirements we've defined: 1. automation provisioning of RA outbound tunnel (remote side is requester) 2. direct IP connectivity inside created overlay (branch to HQ and vice-versa) (VRouter functionality) 3. possibility to isolate and to grant spoke-to-spoke flows 4. ability to tunnel L2 to remote location 5. ability to tunnel trunk with 10 VID to remote location 6. appliance redundancy for SW components (HA inside host kvm) 7. cryptography to secure tunnel creation

So, finally a questions part: - what open-source software products you can suggest (OvS)? - what SDN controller to use (we looking at Tungsten Fabric, old OpenContrai from Juniper)? - what CI/CD stack to implement (ansible/terraform) - what proactive monitoring approach to use

Any kind of input from you will be very valuable for us. Understand me correctly, we now only in the phase of considering possible options. Grats!



No comments:

Post a Comment