【双语频道】基于SDN和NFV的业务功能链
作者:互联网
Hi. This is demonstration of SDN and NFV based service function chaining.
大家好!接下来我将为大家演示基于SDN和NFV的业务功能链
What is service function chaining? An ordered set of service functions that creates subsequent traffic through them is termed as service function chaining.
什么是业务功能链呢?业务功能链就是一系列业务功能的有序组合,引导流量按序依次通过这些功能组件
But in traditional solutions, there are three issues. Like, each service function need to be deployed manually and each service function is a special device, which brings in too much labor work to maintain and it is not scalable and flexible.
传统的解决方案面临三个问题,比如需要手动部署每个业务功能,需要单独部署特殊的设备来提供各个业务功能,维护工作量大,业务缺乏灵活性和可扩展性
When we need to modify the chain, like when we need to add or delete a service function in the chain, it needs manual work and takes a lot of time and it is much error-prone.
当我们需要修改业务功能链时,比如当我们需要在链中添加或删除一个业务功能时,需要做许多手工操作,不仅费时费力,而且很容易出错
What is SDN and NFV based service function chaining?
什么叫基于SDN和NFV的业务功能链呢?
Here the service function is replaced by a VNF. It can be created dynamically, and it is scalable, flexible, faster to deploy, and efficient resource usage, leading to lower OPEX and CAPEX.
这里业务功能被VNF取代,VNF可以动态创建,灵活可扩展,不仅更易部署,而且可以更有效地利用资源,从而降低了OPEX和CAPEX
Based on a centralized control, the controller can generate flows to form a service function chain automatically.
通过集中控制,控制器可以生成能够自动形成业务功能链的流表
What's done in the OPNFV SFC Project? We lead ONOSFW project in the OPNFV to make ONOS support NFV scenario. In ONOSFW, we support the below features like L2 feature, L3 feature, and service function chaining.
OPNFV SFC项目做了什么呢?我们在OPNFV中所负责的ONOSFW项目旨在让ONOS支持NFV场景,让ONOS支持诸如L2特性、L3特性、以及业务功能链之类的特性
Here all the network functions are virtualized, like Layer2 Switch and Layer3 Router is OVS, Flow Classifier is OVS, Service Function Forwarder is OVS.
这里所有的网络功能都是虚拟的,如二层交换机、三层路由器、流分类器、业务功能转发器等等都是通过OVS虚拟出的
DPI, firewall, are virtual network functions. I mean the service functions like DPI and firewall are virtual network functions.
DPI和防火墙属于虚拟网络功能,我的意思是像DPI和防火墙这样的业务功能属于虚拟网络功能
And we will show the below scenarios like we'll create a chain with the two service functions, which include firewall and DPI,
接下来我们将演示以下场景,即我们将创建由两个业务功能组成的业务功能链,一个是防火墙功能,一个是DPI功能
and we'll try to modify the chain by inserting as well as deleting a service function, and we will show the ONOS GUI, which shows the SFC part in the given base topology.
我们会通过插入和删除业务功能来修改这个功能链,ONOS的GUI界面会在基础拓扑上显示与业务功能链相关的部分
The key components in OPNFV are OpenStack, ONOS, and OVS.
OPNFV的关键组件包括OpenStack、ONOS和OVS
OpenStack we use Liberty Release in a multi-node deployment, ONOS we use 1.6 Golden Eye Release, and OVS we use 2.5.90 with the official NSH Patch.
OpenStack我们使用的是用于多节点部署的Liberty版本,ONOS我们使用的是1.6 Golden Eye版本,OVS我们使用的是带官方NSH补丁的2.5.90版本
The first scenario is creating a service function chain test.
第一个场景是创建一个业务功能链
Before creating a service function chain, I'll be creating a base topology. Actually, the base topology is already created.
在创建业务功能链之前,我要先创建一个基础拓扑,事实上,这里基础拓扑已经创建好了
You can see that there are two nodes, one is the controller node, and one is the compute node of OpenStack. Both nodes are connected to ONOS, and four VMs are spawned on them. You can see that.
大家可以看到拓扑上有两个节点,一个是控制器节点,一个是OpenStack计算节点,这两个节点都连接到ONOS,上面有4台虚拟机,大家可以看到
In the ONOS GUI, you can see the two devices co-detected and there are few VMs spawned on them.
在ONOS GUI界面上,我们可以看到两台设备互相检测到彼此,另外还有几台虚拟机在运行
In the same, same thing we can see in the OpenStack dashboard, have created four VMs one is source, SF1, SF2, and the destination.
我们可以在OpenStack的仪表盘上看到同样的情况,共有4台虚拟机:源,SF1,SF2,和目的
Before creating the service function chain, the packet from source will directly go to the destination.
未创建业务功能链之前,从源主机发出的报文直接到达目的主机
After creating the service function chain, the packet reaches the classifier, where once the classifier classifies the packet, which is eligible for service function chaining, it will forward the packet to the firewall first, which is first service function, and then the packet will be forwarded to the DPI, in our case it is second service function, and then the packet will go to the destination.创建业务功能链之后,从源主机发出的报文首先到达分类器,如果报文满足业务功能链过滤条件,分类器会把报文发往防火墙,第一个业务功能节点,然后防火墙再把报文转发到DPI,第二个业务功能节点,之后DPI把报文发往目的主机
The other job of classifier is, to add the NSH header for the classified packet for a service function chain.
分类器的另一个任务是向报文添加NSH头,用于业务功能链
Once the packet reaches the last service function, the NSH header will be popped up and then the packet will be the original packet will be forwarded to the destination.
报文到达最后一个业务功能节点后,该节点会剥掉NSH头,把原始报文发往目的主机
Now, we will see this scenario.
现在,我们就来看下这种场景
Here I have four instances. Like, one is my source. This is my source, this is my SF1, this is my SF2, this is my destination.
这里有四个实例,这个是源,这个代表源主机,这个代表SF1,这个代表SF2,这个代表目的主机
I'm going to run a simple plain server program. I'm going to connect to my destination, whose IP is 20.0.0.6, and I send a message, the message will be reached at the destination directly, and then the server will send back the same packet to the client.
现在我来运行一个简单的服务器程序,我要连接IP地址为20.0.0.6的目的主机,我发送一个消息,这个消息直接到达目的主机,然后服务器会发送同样的报文到客户端
Now, I'm going to create a service function chain.
现在,我要创建一个业务功能链
The chain is created. The packet flow will be changed.
现在这个业务功能链创建好了,它将改变报文流
In the SF1, I'll be running the firewall program. In the SF2, I will running the DPI program.
我在SF1运行防火墙程序,在SF2运行DPI程序
So that, now when I send a packet, when I send a message, the packet will flow from SF1.
现在当我发送一个报文时,当我发送一个消息时,报文会经过SF1
If you see, once this packet goes to the classifier, which is OVS, it will add the NSH header and send it to the first service function. Initially, the NSH value will be ff that means 255.
大家可以看到,一旦该报文进入分类器,这是通过OVS模拟的,分类器就会给报文打上NSH头,然后把它发送到第一个业务功能节点,NSH头的初始值为ff,即255
The first service function, after processing the packet it will decrement the NSH value, and then send it out, so that the second service function will receive the NSH value with fe.
收到报文后,第一个业务功能节点先把NSH值降为fe,然后再把报文发给第二个业务功能节点
This so, in our case this is last service function, so that when the packet goes out from here, the NSH header will popped out and the original packet is sent to the destination. So that, the destination will send back the same message to the client.
收到NSH值为fe的报文后,第二个业务功能节点,同时也是本例中最后一个业务功能节点,弹出NSH头,把原始报文发给目的主机,然后,服务器发送同样的报文给客户端
The DPI we can also see the content of the message, I mean, whatever we have given the same, the same message we can see over here.
在DPI节点我们也可以看到该报文的内容,我的意思是,无论报文内容是什么样的,我们在这里都可以看到同样的内容
Now, what is the functionality of a firewall?
现在我们来看看防火墙提供哪些功能
So based on some configuration, it will drop some packets.
我们配置防火墙丢弃某些报文
So now, I'm going to configure this firewall to block my source. My source IP is 20.0.0.3, so I'm telling my firewall to block any packets coming from 20.0.0.3.
我通过配置让这个防火墙丢弃所有来自源主机的报文,我的源主机IP地址为20.0.0.3,我配置防火墙阻止任何来自20.0.0.3的报文
So when I send a packet, you can see the firewall drops the packet. It does not receive to the other other side. My firewall drops the packet.
大家可以看到,我发送一个报文后,防火墙直接丢弃该报文,对端收不到这个报文,因为防火墙把这个报文丢弃了
Now when I remove the configuration underneath my firewall again, the packet flow continues. Okay?
现在我来删除防火墙的配置,报文流又变正常了,对吧?
Now, we go to the next scenario. Modifying the chain. That means, we will insert a service function, like put inside parental control service function, in the beginning of my chain.
现在我们进入下一个场景,修改业务功能链,即往链中插入一个业务功能,如在链首插入家长监控业务功能
So that, now the packet, which is eligible for SFC, the classifier will send the packet directly to the parental control, then the packet will go to the firewall, then the packet will go to the DPI, then the packet will reach the destination.
插入这个功能之后,分类器会直接把符合业务功能链过滤条件的报文发往家长监控节点,然后报文再经由防火墙和DPI去往目的主机
Now, we will see this scenario.
现在我们来看一下这个场景
So here, I'll be running my parental control service function.
现在我来运行家长监控业务功能
So when I run this, now when I send a packet, first the packet will reach the parental control service function.
运行这个功能之后,当我发送报文时,报文会首先达到家长监控节点
We can see the NSH value is ff for here, and then the packet will go to firewall. From firewall, the packet will go to the DPI, which is service function two, and then the packet goes to the destination.
这里我们可以看到报文携带的NSH值是ff,然后报文进入防火墙,之后再从防火墙发往DPI,第二个业务功能节点,然后这个报文就到达目的主机了
So what is the functionality of a firewall? I want to block something.
那么,防火墙提供什么功能呢?它可以丢弃我们不想要的报文
So when I configure my firewall, sorry, when I configure my parental control, to drop deep packets which has some content. So I will configure like, so I will configure the keyword header.
当我配置我的防火墙,我是说当我使用家长监控功能,过滤特定报文时,我会配置关键字
So, if the packet contains this word, then the packet will be dropped in the parental control. So, normal packet normal packets it will forward.
如果报文包含这个关键字,那么该报文就会在经过家长监控节点后被丢弃,其他报文可以正常转发
So, so when I send a message with a content, it will drop the packet. Other packets, it will continue to forward.
当我发送含指定关键字的报文时,家长监控节点会丢弃该报文,其他报文继续正常转发
Now, I'm going to delete this parental control service function chain. Sorry, I'm going to delete this parental control from this service function chain.
现在,我要删除家长监控业务功能链,我的意思是,我要从业务功能链删除这个家长监控节点
So now, the packet should go from classifier to firewall, firewall to DPI, and then from DPI to the destination.
删除后,报文可以直接从分类器到防火墙,到DPI,然后到目的主机
Now, you can see, there'll be no packets coming to the parental control. Now packet will go to the firewall, firewall to DPI, and then from DPI to the destination.
现在我们可以看到,家长监控节点上没有任何报文,报文直接从分类器到防火墙,到DPI,然后到目的主机
Now, I'll be showing the ONOS GUI.
现在我们来看下ONOS GUI界面
You can see here, uh already the topological detected in the ONOS.
我们可以在这里看到ONOS检测到的拓扑
Now, I'm going to select the SFC path. Currently I have created only one service function chain, so when I select this path, you can see the path got highlighted.
现在我选中业务功能链路径,目前我只创建了一条业务功能链,选中这条路径后,该路径亮显
Also, we can see the summary like from this source, the packet will be forwarded to SF1, from SF1 the packet will be forwarded to SF2, and from SF2 the packet will be forwarded to the destination.
同时我们可以看到这条链的简要介绍,如报文从源发往SF1,然从到SF2,最后到达目的地
Also, when we click on the service function, it will show me the service function name, its IP address, as well as its MAC address.
当我们点击某个业务功能节点时,界面上会显示它的名称、IP地址、和MAC地址
Yep, thank you.
就是这样,谢谢大家!
下面给大家带来完整视频内容,希望你能和SDNLAB双语君在技术学习的过程中一起提升英语能力。
https://v.qq.com/x/page/v0332cmns0y.html
标签:function,功能,service,报文,双语,packet,will,NFV,SDN 来源: https://blog.51cto.com/u_15127681/2824843