Ethane: Addressing the Protection Problem in Enterprise Networks
Problem with Bindings Today
Examples of Problems Today are LEGION
Two Main Challenges
Our Solution: Ethane
Ethane: High-Level Operation
Finding the DC
Initial Traffic to DC
Initial Traffic to DC

ntroduction to Software-defined Networking (SDN)


Lecture 1
Introduction to
Networking (SDN)


1. Fundamentals of Software-defined
Networking (SDN) and OpenFlow
2. SDN abstracts the network
3. HP SDN campus applications
4. Data center and cloud SDN solutions


Introduction to the lecture
SDN has become a popular topic in networkingrelated websites and magazines. You cannot
browse such publications without finding multiple
articles about SDN.
Likewise, networking vendors are hosting
webinars that focus on SDN and the advantages it
might offer in the future.
As it often happens with emerging technologies,
vendors do not always agree on what SDN is.
Some focus on only one aspect of SDN but may not
provide the complete “big picture” of SDN.


Introduction to the lecture
This chapter introduces you to SDN, explaining
why it is needed and outlining how it
fundamentally changes networking.
You will learn how SDN enables organizations to
react to changes and to provision the network
more quickly.
You will also see how it enables developers to
innovate new applications.
In the chapters that follow you will learn about the
SDN solutions HP has released.


Introduction to
1. Fundamentals of Softwaredefined Networking (SDN) and


Legacy networks
Server and storage architectures have
modernized to keep pace with the evergrowing expectations of an always-on
world, but the underlying network has not.
The data center network itself, while
certainly bigger and faster, has largely
been built the same way for two decades.
Evolution of campus networks has been
slow, despite the mobility revolution.


Legacy networks
Whether in the data center or on the campus,
when legacy networks are pushed to the limit,
they become fragile, difficult to manage,
vulnerable, and expensive to operate.
Manual configuration and operation simply
would not scale to the demands of today’s
applications, users, and business requirements.
Businesses whose networks are at this breaking
point risk missing the next wave of opportunity.


Legacy networks cannot keep up with demands from
cloud, security, mobility, and big data.
Figure highlights some of the problems companies face.
SDN gives you an intelligent, responsive, programmable,
and centrally controlled network design.


Software-defined networking
SDN is easier to manage, and it keeps pace
with today’s diverse, growing workloads.
HP SDN provides a programmable
network that is aligned to business
applications and based on open standards.
And our industry-first SDN App Store
provides a marketplace for SDN
applications and a platform to share


Server virtualization and innovation
Before you delve into the technical details offside, you should
understand industry trends that are driving the move to SDN, which
are highlighted in Figure, about server virtualization and innovation.


Server virtualization and innovation
In contrast, in the server arena, virtualization
technologies such as VMware have
revolutionized server deployment and setup. No
longer do server administrators have to spend
days or weeks sourcing a physical server, using
CDs or DVDs to install operating systems,
downloading patches, and installing various
software components such as Exchange or SQL
server. They can simply provision a server in
minutes or seconds using VMware virtual


Server virtualization and innovation
This kind of rapid innovation and quick deployment is
still lacking in networking today. Network
administrators often still configure networks in a
laborious and time-consuming manner via the CLI.
The CLI is used to configure VLANs, routing, IP
addresses, and to implement how policies are deployed
(think about access control lists [ACLs], for example).
Management options such as Simple Network
Management Protocol (SNMP) have helped with
network management, but this is just another method
of configuring the localized control plane on each
device rather than changing the way networks operate.


The server environment has been further abstracted
with virtual servers. Moving to virtual servers allows
systems administrators to deploy servers in minutes
or in seconds. In addition, they can easily move
virtual servers from one physical host to another
using technologies such as VMware vMotion. A
virtual server can also be moved dynamically, based
on resource use. That is, if a virtual server needs
more resources or the resources on a particular
server become overloaded, the virtual server is
automatically moved to server hardware that has
available resources.


Storage has had a similar evolution: storage no longer
relies on physical disks in each individual server.
Storage is abstracted with logical storage and physical
storage components. To provide fast and reliable
storage for computing and data processing, disks are
now housed in storage arrays. Systems administrators
access logical storage without regard to the physical
storage structure.
For both servers and storage, abstraction has provided
flexibility and agility and opened the door for


Server proprietary stacks
На малюнку показано, яким чином замовники мігрують від
патентованого (пропрієтарного) обладнаннядо
віртуалізованих систем.


Networks virtualization
When thinking about networking today, remember
what has happened in both the server and storage
markets. We are starting to see these same sorts of
pressures and innovations come to the networking
There is often the discussion of how quickly or how
slowly SDN will arrive. Remember that the industry
has seen virtualization a couple of times already—
once with servers and again with storage. This is not
an unfamiliar concept.
Here is an extreme example of virtualized
networking that illustrates the vision of SDN.


Example 1
Assume that you went to an electronics store
and purchased four low-end switches for US $60
You then added these switches to your
company’s existing network.
As long as the switches support OpenFlow,
which is a standard protocol between the
control plane and the switches, you can
program the switches to forward traffic as the
external application dictates.


Example 1
The application could program the switch via the SDN
controller to configure a switch to route packets.
The switch may not have the intelligence to understand
routing, but a higher level application with the
intelligence has programmed the switch to route based on
packet headers received. The application, rather than the
switches, has the routing capability in this example.
All the switch does is match packets containing specific
headers and change them according to the instructions
provided via the OpenFlow protocol. These forwarding
settings are written to an OpenFlow table via OpenFlow


Example 1
In this example, four low-end switches without
routing capability are able to route based on the
intelligence of an external application. The control
plane (network intelligence or network brain) is
running on an external device, while the forwarding
plane (data plane/switching plane) with less
intelligence is following instructions given to it.
This example may not be implemented in your
network today, but is one of the visions of SDN many
are pursuing.


Example 2
Another example that may be implemented in your network today is
extending the functionality of basic edge switches. Edge switches
generally do not contain DNS interception capabilities and databases of
malicious websites.
However, a flow entry could be programmed on a switch to forward all
DNS traffic to an external controller running an application that does
have this intelligence. This is what the HP Network Protector SDN
Application provides. Switches still switch or route as usual, but their
functionality is extended by leveraging OpenFlow, external controllers,
and external applications.
In this study guide, virtualized networking or SDN refers to the ability
to take network features and functions, install them somewhere in the
network and then apply them to boxes (switches, routers, and others)
that are general-purpose processing engines.


Software centric solutions
Rather than concentrating on operating systems
like Comware, ProVision, or IOS and then
comparing the features and functionality of each
operating system, SDN de-emphasizes the
operating system and focuses on extending the
capability of network devices using software.
This software may be running on an x86
platform, written in Java, Python, or a multitude
of other languages. Features can be added to the
networking device programmatically via open
APIs like OpenFlow and others.


Software centric solutions
• Do not bundle as many features as
possible into an operating system that
only runs on specific hardware
(ASICSs) and has the added risk that
the operating system and hardware
will become obsolete in a few years.
• Rather, enhance network features by
adding these to external servers and
then programmatically extending the
feature sets of network devices
without the devices having to
understand all features.


Multiple SDN view
It is important to define what SDN actually is because there are
competing viewpoints. In the past, there were competing
technologies and standards for high definition replacements of
DVDs: Blu-ray versus HD-VD. Before that, if you are old
enough to remember, there was a battle between competing
technologies and formats for video cassettes: VHS versus
With both these examples, you had to make your choice based on
whatever your criteria was—cost, quality, company reputation,
and so forth. You then had to get the player that supported the
format of your choice and then you had to make sure that every
disc you purchased supported the format you selected (Blu-ray
or HD-VD).


Multiple SDN view
Something similar is happening with SDN. There are competing
viewpoints and definitions—some of which are open standards based,
and some which are proprietary. Figure displays these standards.


Multiple SDN view
The Clean Slate program asked the question: if we were to
begin building networks anew — without any existing
traditional methods — how would we build them? Would
networking technology look like it does today, or would it
look different?
The answer arrived at by Clean Slate is that there should
be a control and management system “running the show.”
The network itself should be driven by network-level
objectives (rather than distributed device configurations).
And furthermore, that this centralized system would be
able to look at the entire network and make optimal,
intelligent, and predictable decisions about how traffic
should be forwarded and routed throughout the network.


Multiple SDN view
This central control system — called ‘Ethane’ — used
policy information and a database of various information
(topology, registration, and bindings) to administer rules
regarding network access by individual devices.
In this way, Ethane is a sort of a network access control
(NAC) solution. Typical NAC systems require control
functionality on the device (for example, RADIUS or
captive portal), or else functionality in a special in-line
appliance, to achieve their desired functionality. This
solution was achieved with no special software on the
device or the appliance—it was all done with simple devices
that exposed their ‘flow tables’ to the central controller.


Multiple SDN view
There was cross pollination of ideas between Stanford
researchers and HP about making networks more
programmable. Ethane was the precursor to OpenFlow, which
allows a developer to access the forwarding logic of a switch
and then programmatically change the switch’s forwarding
One of the problems facing the Stanford researchers was that
it is difficult to deploy new concepts and operating extensions
like OpenFlow on hardware switches.
This is especially true with the closed, proprietary operating
systems used by networking vendors at the time. They also did
not have access to manufacturing facilities and other resources
to simply go out and create new production grade, scalable,
hardware switches.

28. Ethane: Addressing the Protection Problem in Enterprise Networks

Martin Casado
Michael Freedman
Glen Gibb
Lew Glendenning
Dan Boneh
Nick McKeown
Scott Shenker
Gregory Watson
Presented By: Martin Casado
PhD Student in Computer Science,
Stanford University
[email protected]
June, 2006
Stanford 2006

29. Goal

Design network where connectivity is
governed by high-level, global policy
“Nick can talk to Martin using IM”
“marketing can use http via web proxy”
“Administrator can access everything”
“Traffic from secret access point cannot share infrastructure
with traffic from open access point”
June, 2006
Stanford 2006

30. Problem with Bindings Today

•Goal: map “hostname” to physical “host”
Host Name
•What if attacker can interpose between any of
the bindings?
(e.g. change IP/MAC binding)
Physical Interface
•What if bindings change dynamically?
(e.g. DHCP lease is up)
•Or physical network changes?
Physical Interface
June, 2006
Stanford 2006

31. Examples of Problems Today are LEGION

ARP is unauthenticated
(attacker can map IP to wrong MAC)
DHCP is unauthenticated
(attacker can map gateway to wrong IP)
DNS caches aren’t invalidate as DHCP
lease times come up (or clients leave)
Security filters aren’t often invalidated
with permission changes
Many others …
June, 2006
Stanford 2006

32. Two Main Challenges

Provide a namespace for the
Design Mechanism to Enforce
June, 2006
Stanford 2006

33. Our Solution: Ethane

Flow-based network
Central Domain Controller (DC)
Implements secure bindings
Authenticates users, hosts, services, …
Contains global security policy
Checks every new flow against security policy
Decides the route for each flow
Access is granted to a flow
Can enforce permit/deny
Can enforce middle-box interposition constraints
Can enforce isolation constraints
June, 2006
Stanford 2006

34. Ethane: High-Level Operation

SYN packet
•Permission check
Domain Controller User
“hi, I’m host
A, my password is …
my password
is …
Can I have an IP?

hi, II’m
password is”
an IP my
Network Policy
“Nick can access Martin using ICQ”
Host B
Secure Binding State
ICQ → 2525/tcp
Host A → IP
IP → switch3 port 4
Martin → Host A
Host B → IP
IP → switch 1 port 2
NickJune, 2006
→ HostB
Host A
Stanford 2006


Component Overview
•Send topology information to the DC
•Provide default connectivity to the DC
•Enforce paths created
by DC
•Handle flow revocation
•Specify access controls
•Request access to services
•Authenticates users/switches/end-hosts
•Manages secure bindings
•Contains network topology
•Does permissions checking
•Computes routes
June, 2006
Stanford 2006

36. Bootstrapping

Finding the DC
Generating topology at DC
June, 2006
Stanford 2006

37. Assumptions

DC knows all switches and their public
All switches know DC’s public key
June, 2006
Stanford 2006

38. Finding the DC

Switches construct spanning
tree Rooted at DC
Switches don’t advertise
path to DC until they’ve
Once authenticated, switches
pass all traffic without flow entries
to the DC
(next slide)
June, 2006
Stanford 2006

39. Initial Traffic to DC

June, 2006
Stanford 2006

40. Initial Traffic to DC

All packets to the DC (except first hop switch)
are tunneled
Tunneling includes incoming port
DC can shut off malicious packet sources
June, 2006
Stanford 2006


Decouple control and data path in switches
Software control path (connection setup)
(slightly higher latency)
DC can handle complicated policy
Switches just forward
(very simple datapath)
Simple, fast, hardware forwarding path
Single exact-match lookup per packet
June, 2006
Stanford 2006


Multiple SDN view
However, the concept of replacing the operating system of a
switch with software is a powerful concept.
Thus, some of the researchers at Stanford started a
company called Nicira.
The premise of their company was to create a programmable
switch that was software only and that could be deployed on
various hardware platforms like the x86 platform.
In the meantime, Pothers at Stanford and other networking
vendors were working on OpenFlow and an industry
organization was formed to further OpenFlow. This is
called the Open Networking Foundation (ONF) and in 2011,
OpenFlow 1.0 was released.


Nicira and VMware
This shift in the market was observed by multiple vendors
with great interest. There was a lot of buzz in the
marketplace at the time. VMware (also a software
company) offered $1.26 billion for Nicira. The Nicira
technology has now been rebranded VMware NSX.
NSX implements a version of SDN where a virtual network
is overlaid (overlay network) on the traditional physical
network (underlay network) using Virtual Extensible LAN
(VXLAN) tunnels. This allows a server administrator to
dynamically create virtual networks between ESXi servers
without having to ask network administrators to configure
and permit VLANs. VXLANs also support 16 million
VLANs compared to 4096 supported by 802.1Q.


Insieme and Cisco
A startup funded by Cisco, Insieme was a separate company
fully funded by Cisco. The company was subsequently
purchased by Cisco in 2013.
Insieme employees had a lot of experience and expertise
around ASICs (Application-specific integrated circuit) and
programmable arrays.
Insieme chose to do software-defined programming in ASICs.
This version of SDN — Application Centric Infrastructure
(ACI) — is largely hardware-based, relying on ASICs to
implement SDN. This has become the Nexus 9000 product line.
It uses a proprietary protocol (OpFlex) instead of OpenFlow.


The ONF uses OpenFlow as a protocol.
VMware uses VXLAN and Cisco uses OpFlex.
The promise of OpenFlow and the ONF version of SDN is
interoperability and openness.
At the time of this writing, VMware has about 19 vendors
that they have partnered with. If you decide to use NSX,
you are limiting yourself to about 19 vendors’ products.
With Cisco, you have about 40 vendors (at the time of this
writing) that Cisco has signed a strategic relationship with.
If you go with the ONF version of SDN, you get well over
150 vendors.


OpenFlow versions
OpenFlow is managed by the ONF. It is a standards-based
protocol allowing for a centralized-control plane in a
separate device (the controller).
OpenFlow provides hardware abstraction, providing the
controller a method to communicate with multiple-vendor
devices and multiple-hardware types (routers, switches,
load balancers, and so forth), and uses a standard
This takes the control logic on performing packet
forwarding and packet rules and puts these rules down
into a hardware abstraction where they can be followed
by the individual network device.


OpenFlow versions


Traditional switching


Traditional switching
1. The basic processing of frames through the network
is as follows: Frame arrives at Switch 1 from PC A
2. MAC address table is checked for location of PC B.
3. Entry is found in forwarding table.
4. Frame is transmitted out of port 2.
This process is repeated at every switch in the network.


Flow-based switching
In a pure OpenFlow environment, flow tables are used by devices
rather than routing or MAC address tables. In other words, a
switch has an OpenFlow pipeline for processing packets, rather
than a traditional pipeline using traditional switching mechanisms.


HP switches support both an OpenFlow pipeline and a
traditional pipeline. This is referred to as a hybrid switch in
the OpenFlow specification.
In hybrid mode, a switch uses both an OpenFlow pipeline
and traditional pipeline for frame or packet processing.
In hybrid mode, a hybrid switch processes most traffic via
traditional mechanisms, but OpenFlow can use to override
traditional forwarding.
Specific actions like dropping traffic or forwarding it
differently can be implemented in addition to traditional


OpenFlow entries
The OpenFlow Device is any network equipment supporting
the OpenFlow protocol, such as a switch. Each device
maintains a Flow Table that indicates the processing applied to
any packet of a certain flow.
The OpenFlow protocol works as an interface between the
controller and the switches setting up the flow table.
The Flow Table is updated by the controller by adding and
removing Openflow entries using the OpenFlow protocol. The
Flow Table contains multitude of Openflow Entries associated
with actions to command the Switch, to apply some actions
(Forward, drop or encapsulate) on a certain flow.


OpenFlow entries


OpenFlow entries
An entry in a basic OpenFlow table has three fields:
• Header field: it is used to define the match condition
to an exact flow. This flow is matched based on the
defined match criteria.
• Action (instruction): the action that defines how the
packets should be processed .
• Counters (statistics) that keep track of the number of
packets and bytes for each flow (e.g., 100 packets,
8000 bytes). The time since the last packet matched
the flow is recorded to remove inactive flows. This can
be configured within the HP VAN SDN Controller.


Actions and instructions
Each flow entry
has an action
associated with it.
The three actions
that all dedicated
switches must
support are the


Actions and instructions
• The first option is to
forward the packets of a
flow to a given port (or a
set of ports). This allows
the packets to be switched
through the network. In
most switches, this takes
place at line-rate speeds.


Actions and instructions
• The second option is to drop the
flows packets. This can be used
for security reasons, which are
to block unauthorized traffic,
stop denial of service attacks, or
reduce spurious broadcast
traffic from end-hosts. The HP
Network Protector application
can be used for this purpose.


Actions and instructions
• The third option is to encapsulate the
packet and forward the packets to the
SDN controller. The controller makes a
decision and forwards the packet back to
the switch. Typically, this method is only
used for the first packet in a new flow, so
a controller can decide if the flow should
be added to the flow table. On the other
hand, it could be used to forward all
packets to a controller for processing if
an application requires that


Introduction to
2. SDN abstracts the
network infrastructure


SDN architecture
As shown in Figure, SDN decouples the control logic from network
devices. Packet forwarding logic and packet rules are moved to a
separate device (the controller). Switches and other devices
implement the forwarding of traffic as instructed by the controller.


SDN architecture
Most initial SDN devices are routers and
switches. However, OpenFlow and SDN make
provision for many device types and are not
restricted to only routers or switches. Other
devices such as load balancers, firewalls, and
WAN optimization devices may also support
SDN in future. Any network forwarding
device that can be programmed to perform a
variety of activities may be part of SDN and
OpenFlow in the future.


OpenFlow switch
As Figure shows, an OpenFlow switch consists of one or more flow
tables and a group table, which perform packet lookups and
forwarding, and an OpenFlow channel to an external controller. The
switch communicates with the controller and the controller manages
the switch via the OpenFlow protocol.


OpenFlow switch
The OpenFlow protocol can be secured using
Transport Layer Security (TLS) which is the
successor to Secure Sockets Layer (SSL).
Using the OpenFlow protocol, the controller can
add, update, and delete flow entries in flow tables,
both reactively (in response to packets) and
proactively. Each flow table in the switch contains a
set of flow entries; each flow entry consists of
match fields, counters, and a set of instructions to
apply to matching packets.


OpenFlow switch


OpenFlow switch
Matching starts at the first flow table and may continue
to additional flow tables. Flow entries match packets in
priority order, with the first matching entry in each
table being used.
If a matching entry is found, then the instructions
associated with the specific flow entry are executed.
If no match is found in a flow table, then the outcome
depends on configuration of the table-miss flow entry;
for example, the packet may be forwarded to the
controller over the OpenFlow channel, dropped, or may
continue to the next flow table.


OpenFlow switch
Instructions associated with each flow entry either contain
actions or modify pipeline processing. Actions included in
instructions describe packet forwarding, packet
modification, and group table processing.
Pipeline processing instructions allow the packets to be
sent to subsequent tables for further processing and allow
information, in the form of metadata, to be communicated
between tables.
Table pipeline processing stops when the instruction set
associated with a matching flow entry does not specify a
next table. At this point, the packet is usually modified
and forwarded.


Proactive versus reactive flows
As illustrated in Figure, OpenFlow supports two
methods of flow insertion: proactive and reactive.


Proactive versus reactive flows
Reactive flow insertion occurs when a packet
reaches an OpenFlow switch without a
matching flow. The packet is sent to the
controller, which evaluates it, adds the
appropriate flows, and lets the switch
continue its forwarding.
Alternatively, flows can be inserted
proactively by the controller in switches before
packets arrive.


Do not forget that
Controller and HP
switches support
hybrid mode. The
hybrid mode
setting determines
which packetforwarding
decisions are made
by controlled
switches and
which of these
decisions are made
by the controller
• If hybrid mode is enabled (the default
setting), the controller delegates normal
packet forwarding to the controlled switches,
but overrides these switches for nonstandard
packet forwarding decisions required by
installed applications for specific packet
types. In this mode, the controller relies on
the controlled switches to resolve loops and
determine forwarding paths by using
traditional networking mechanisms (such as
Spanning Tree Protocol [STP] or Open
Shortest Path First [OSPF] Protocol).
• If hybrid mode is disabled, the controller
makes the forwarding decisions for all
packets in the OpenFlow-controlled network.
In this state, the controller resolves network
loops and determines forwarding paths.


Journey to SDN
HP provides end-to-end SDN solutions to automate the
network from data center to campus and branch.
Expanding the innovation of SDN, HP SDN ecosystem
delivers resources to develop and create a market place for
SDN applications. The HP SDN ecosystem delivers the
following benefits:
• Simple: Extending simplicity of programmability across
the network with OpenFlow-enabled devices.
• Open: Raising the value of SDN with an open environment
delivered by SDN Software Development Kit (SDK).
• Enterprise ready: Fostering innovations with industry’s
first SDN App Store marketplace for SDN applications.


SDN industry solution
Figure shows the SDN architecture and the solutions
HP is providing, based on that architecture.


Infrastructure layer
At the
layer, HP has
eased the move
to an SDN
by providing
support in
more than 50
existing switch


Infrastructure layer
Because HP is adding OpenFlow support to the
switch software of existing switches, you do not
have to wait as HP rolls out new hardware and
then replaces your entire existing network
If your network already includes these
switches, you can simply upgrade the switch
software. Because the SDN Controller is built
on open standards, it will work with other
vendor devices that implement the OpenFlow
specification (Open vSwitch, for example).


Infrastructure layer
HP SDN solutions support hybrid switches that run
hybrid mode. This allows you to manage your
migration to SDN without disrupting existing
network operations.
HP also has a couple of wireless APs that support
HP Virtual Services Routers (VSR) and HP MultiService Routers (MSR) also support OpenFlow.
There are over 10 models including the HP MSR
2000, 3000, and 4000 series routers.


Control layer
At the control layer, HP
provides the HP VAN SDN
Controller, which is the
centralized control platform
for the software-defined
network. It interfaces with
the network infrastructure
using open-standard
interfaces and control
protocols, such as OpenFlow,
NetConf, SNMP, and
OVSDB. Network devices
are exposed as an abstracted
and centralized control
plane to network
applications allowing for
easier application


Control layer
The HP VAN SDN Controller also provides a platform for
SDN applications, which have been built and integrated into
the controller to provide network services such as network
virtualization, security, QoS, traffic engineering, and others.
The HP VAN SDN Controller mediates between these
applications (which collect information and make
decisions) and the infrastructure devices (which execute
decisions). HP provides programmable interfaces to the
control plane (the HP VAN SDN Controller), allowing
third-party developers to create their own applications for
installation as internal applications on the controller. Or
they can integrate external applications with the controller
through RESTful APIs.


Application layer
An SDN application is a
software program designed
to perform a task in a
networking (SDN)


For SDN management, HP has added a module to HP Intelligent Management
Center (IMC) called SDN Manager (SDNM). IMC provides consistent policybased management of both OpenFlow and non-OpenFlow networks.


Manager will
feature fullfault,
and security
for HP-enabled
SDN domains.
• Enable deployment, monitoring,
and management of HP
OpenFlow-enabled switches
• Visualize traffic flow and
performance monitoring in HP
SDN domains
• Backup and restore
configurations and software of
HP SDN controllers
• Provide graphical OpenFlow
troubleshooting with path


Taking advantage of the IMC platform features,
IMC SDN Manager leverages the flow
monitoring, topology mapping, and
troubleshooting features to provide full SDN
management capabilities in the same interface as
the wired, wireless, physical, and virtual
You will be able to manage both types — SDN
as well as traditional interfaces — from the same
console, which lends to the operational
efficiencies required for network administration.


Introduction to
3. HP SDN campus


HP SDN App Store
HP hosts an App store for the delivery of SDN
Applications from HP AllianceONE partners
and the community at large are made
available in the HP SDN App Store.
All apps can be purchased with a credit card,
and selected HP and HP Partner apps can be
purchased through the traditional channels
with delivery through the HP SDN App Store.


HP SDN App Store partners
Figure displays a handful of the 120 vendors who are creating
the products that support Open Networking Foundation (ONF)
software-defined networking (SDN).


Software development kit (SDK)
HP has made a Software development kit (SDK)
available with the HP VAN SDN Controller. The SDK
gives developers all the tools necessary to build SDN
applications for the HP controller. It includes
documentation for both the Java and the REST APIs as
well as all of the jar files necessary during compilation.
Sample applications are also included.
A remote lab is also available to AllianceONE partners
for testing SDN applications with real hardware. HP also
hosts and monitors a developer forum where developers
can collaborate to get answers to questions.


HP SDN ecosystem
HP is building an entire SDN ecosystem, which at present
includes the following:
• Over 30 million SDN-ready ports in production, providing
customers a rapid path to the new style of business while
providing developers a large market
• Over 5000 downloads of the HP VAN SDN controller
• Over 100 APIs—and not only the APIs, but a full developer
community, support, services, and a sales model
• Over 5000 man hours in certification of SDN apps
• Five developer events globally providing support to our growing
• A total of 5000 downloads of the HP developer kit
• Over 30 ecosystem partners


HP SDN ecosystem


HP SDN App Store


HP SDN App Store


HP applications
HP has
three major
in the HP
• HP Network Protector SDN
Application: provides
protection against real-time
security threats
• HP Network Optimizer SDN
Application: provides
application-driven quality of
service (QoS)
• HP Visualizer SDN Application:
provides network visibility


HP applications


HP Network Protector SDN application
The Network Protector SDN application enables automated
network posture assessment and real-time security across an
SDN-enabled network, providing:


HP Network Protector SDN application
The Network Protector SDN application enables simple security for
bring-your-own-device (BYOD).
The Network Protector SDN Application uses the HP VAN SDN
Controller to program the network infrastructure with security
intelligence from the TippingPoint Reputation Digital Vaccine (RepDV)
Labs databas. This turns network infrastructure devices into securityenforcement devices, providing visibility and threat protection against
more than one million malicious botnets, malware, and spyware sites.
The HP Network Protector SDN Application stops threats at the
network access layer before they can cause damage. Network Protector
can be used in any network environment where security is a concern.
HP envisions a network where Network Protector can be implemented
on any network device, anywhere in the network for unprecedented
network visibility, event correlation accuracy, and security control.


HP Network Protector SDN application
Simple security for BYOD
• The Network Protector SDN application brings a
new level of threat visibility, automation, and
control to organizations that support BYOD for
network connectivity.
• The application scales up to thousands of
endpoints, supporting enterprise organizations.
• The Network Protector SDN application
decreases the time IT spends on security
problems, from days or weeks to hours.


HP Network Protector SDN application
Enables automated network-posture assessment
• The Network Protector SDN application improves your network
visibility and accuracy. The application prioritizes specific Domain
Name Service (DNS) traffic (for example, business critical) and
restricts noncritical DNS traffic (for example, social media).
Proactive IT management of threats
• The HP Network Protector SDN application allows flow-based
dynamic access control lists (ACL), bringing security to the next
level. The application allows for per switch and device inspection
throttling. The application provides enhanced white/black/gray
list user policy routing.


HP Network Protector SDN application
Provides real-time threat detection across
enterprise campus networks
• The Network Protector SDN application
protects from over one million malicious botnet,
malware, and spyware sites. The application
enables real-time threat characterization with
the HP TippingPoint RepDV cloud service
• The Network Protector SDN application can
address cloud-based threat intelligence.


HP Network Protector SDN application
Figure provides a screen capture of the HP Network Protector dashboard.


HP Network Protector SDN application
Features and benefits of the HP Network Protector SDN
application include the following:
• Quarantine thresholds can be configured on per client DNS requests
per second or on total number of unique malicious connections per
client, resulting in IP redirection or dropping of all client traffic.
• Malicious identity displays the IP addresses associated with
quarantined or blocked clients or reveals user-id when integrated with
• Custom whitelist allows administrators to bypass reputation check for
configured domains.
• Custom blacklist allows the administrator to block configured domains.
This can be configured to block at specified periods of time.
• The top-infected VLANs display provides visibility into the relative
health of VLAN clients.


HP Network Protector SDN application
Features and benefits of the HP Network Protector SDN
application include the following:
• The top-infected endpoints display provides visibility into the
source of malicious traffic.
• Inspection throttling ensures that network performance is not
impacted by bursts of heavy traffic.
• Group policy supports individual reputation levels for
blocking or quarantining members of the group.
• The email alerts feature notifies the administrator of
quarantined clients or malicious connection attempts.
• HP ArcSight integration allows logging of malicious activity
in common event format (CEF) syslog format (optional


HP Network Optimizer SDN application
Deploying trusted and granular QoS can be
extremely complex and requires implementing
tedious and time-intensive manual configurations
on a device-by-device basis. In fact, it is nearly
impossible to implement consistent end-to-end
traffic policies using deep packet inspection (DPI)
for soft clients with legacy networks. Session
Initiation Protocol (SIP) Transport Layer Security
(TLS) encryption and dynamic application ports,
used by unified communications (UC) applications,
result in poor application traffic visibility.


HP Network Optimizer SDN application
Figure illustrates how the HP Network Optimizer SDN
application reduces complexity and improves QoS.


HP Network Optimizer SDN application
The HP Network Optimizer SDN application uses OpenFlow to
dynamically prioritize traffic at the edge of a network. There are four
traditional ways that unified communications can be identified and
prioritized on the network:
• 1. The first method prioritizes all traffic from a device. This method is used
with traditional VoIP phones by placing the phone in a voice VLAN and
prioritizing all traffic in this VLAN. This solution is not possible with
Microsoft Lync in wholesale deployments because the voice client is usually
the Lync software client running on a PC.
• 2. The second method uses a predefined Transport Control Protocol (TCP)
or User Datagram Protocol (UDP) port number or range where traffic
matching these ports can be prioritized. This is not an ideal solution
because it increases Lync and network management overheads as well as
raises the potential of port mapping conflicts on the client PCs. (See Figure
for a graphic illustration of Microsoft Lync communications on a network.)


HP Network Optimizer SDN application


HP Network Optimizer SDN application
The HP Network Optimizer SDN application uses OpenFlow to
dynamically prioritize traffic at the edge of a network. There are four
traditional ways that unified communications can be identified and
prioritized on the network:
• 3. The third method uses a DPI engine to analyze and determine the
packet’s nature. However, in the case of Lync, this is not feasible because all
Lync control traffic is encrypted in TLS sessions. This makes DPI analysis
impossible or unreliable in its ability to isolate business Lync traffic from
nonbusiness voice or video communications.
• 4. Finally, the client can mark traffic as important and configure the
network to trust the tags. While this will work and Lync does support it, it
requires a level of trust from network clients that is not recommended. As
soon as the network trusts a client, there will be users who abuse the trust
and attempt to prioritize all of their traffic. In other words, a user could use
a company’s network to watch movies or download BitTorrent files at high


HP Network Optimizer SDN application
The above solutions led HP and Microsoft to develop a
better method to prioritize important Lync traffic. The
Lync Server had detailed knowledge of UC session
information happening in an environment and HP SDN
controllers had detailed knowledge of physical topology.
Microsoft, in collaboration with HP, developed an API
that installs on the Lync Server and can make RESTful
API calls to the HP Network Optimizer SDN application
with all of the call details, including users, type of call, and
bandwidth requirements. HP Network Optimizer can then
use OpenFlow to dynamically prioritize traffic on the
network for the duration of the call.


HP Network Optimizer SDN application
The HP Network Optimizer SDN application uses OpenFlowhybrid mode and only the edge, or access devices need to be
OpenFlow enabled. In this case, the HP Network Optimizer SDN
solution does Differentiated Services Code Point (DSCP)
remarking at the edge of the network and the rest of the network
is configured to honor the markings supplied by the access layer
device. Previously, trusting end user QoS values was a bad idea
but with the access-layer devices doing the QoS marking, it is the
network core that honors QoS markings received from the
network edge. When the HP Network Optimizer application boots,
a default flow is pushed to all access devices. This remarks all
traffic to normal priority in the specified VLANs. It is then
possible for HP Network Optimizer to dynamically prioritize the
Lync traffic to an administratively assigned priority.


HP Network Optimizer—dashboard
HP Network Optimizer provides an enhanced Enterprise Voice user
experience with Microsoft Lync soft clients that users have come to
expect with traditional PBX voice connections and VoIP-based on
hard phones. This allows an enterprise to support the mobility
demanded by users and offered by Microsoft Lync Enterprise Voice
and still get the experience they want. Calls are dynamically
provisioned without administrative involvement.
HP Network Optimizer also enables the IT administrator to rapidly
define and adjust the priorities of Lync traffic on the network with
granular control of both DSCP markings and 802.1p priorities. No
longer does the network administrator need to touch every switch to
deploy a unified communications QoS adjustment. (See Figure for a
screen capture of the HP Network Optimizer application dashboard
and a quick list of other salient features.)


HP Network Optimizer—dashboard


HP Network Optimizer—dashboard
• An instance of HP Network Optimizer can
support an infrastructure with up to 2000
OpenFlow-enabled network devices and up to
10,000 users. These numbers assume minimum
system requirements of a quadcore processor, 8
GB of RAM, and 64 GB of available disk space.
Additional instances of HP Network Optimizer
can be deployed to support a larger number of
OpenFlow-enabled network devices and users.


HP Network Optimizer—dashboard
• In the current release of HP Network Optimizer, HA is not
supported. To help maximize network availability, the
OpenFlow-enabled devices in a network should be
configured to fail open in the case of controller
unavailability. HP Network Optimizer is designed to
operate in a hybrid SDN mode. This means traffic is
forwarded using traditional networking methods based on
destination MAC address or destination IP address. When
a switch fails open, these same traditional forwarding
mechanisms will continue to forward traffic as expected.


HP Network Optimizer—dashboard
• Network security has been a critical concern for a very long time and
does not change with the advent of SDN. The methods of securing a
network require an evaluation. There are several mechanisms that aid
in securing an SDN environment. First, the connection between a
switch and a controller should be passed onto a dedicated management
VLAN or, for additional security, be handled on a completely out-ofband network. An out-of-band network is likely not possible in a
campus LAN but may be possible in a data center. Second, the
communication between an OpenFlow device and the controller should
be authenticated and encrypted. The HP VAN SDN Controller and HP
switches support mutual authentication using certificates and TLS.
Access to the controller for management purposes is also encrypted
using TLS and authenticated using OpenStack Keystone.


HP Network Visualizer benefits
As Figure explains, the HP Network Visualizer Application provides visibility of
network traffic and offers a flexible solution for obtaining copies of network
packets for auditing, verification, and dynamic troubleshooting purposes.


HP Network Visualizer benefits
You can get copies of network packets from multiple
source devices and forward captured packets to a
collection device located almost anywhere in the network
using a generic routing encapsulation (GRE) tunnel.
The Network Visualizer dynamically installs OpenFlow
rules to monitor the network traffic using the filter
criteria specified by a network administrator via the
graphic user interface (GUI). Filter criteria are specified
with SDN policy attributes built on access control list
(ACL) networking match attributes and legacy actions.


HP Network Visualizer benefits
As Figure illustrates, the Network Visualizer dashboard provides a graphic
representation of current capture session configuration, capture session
failures, and discovered devices by type and operating system (OS).


What is NFV?
Network functions virtualization (NFV) (also known as virtual
network function (VNF)) offers a new way to design, deploy and
manage networking services. NFV decouples the network functions,
such as network address translation (NAT), firewalling, intrusion
detection, domain name service (DNS), and caching, from
proprietary hardware appliances so they can run in software.
It’s designed to consolidate and deliver the networking components
needed to support a fully virtualized infrastructure – including
virtual servers, storage, and even other networks. It utilizes
standard IT virtualization technologies that run on high-volume
service, switch and storage hardware to virtualize network
functions. It is applicable to any data plane processing or control
plane function in both wired and wireless network infrastructures.


What is Network Functions Virtualization (NFV)?


What is Network Functions Virtualization (NFV)?
• Less space needed for
network hardware
NFV has a
• Lower network power
number of
• Reduced network
maintenance cost
• Simpler and faster
network upgrades


What is Network Functions Virtualization (NFV)?
NFV is part of a sea change in the way networking
hardware and software operate and interact. Along
with SDN, NFV creates an environment rich in
automation and programmability capabilities.
NFV also presents carriers and service providers an
opportunity to implement a more customer-centric
network infrastructure that can adapt dynamically to
customer needs and requirements.
Large network operators are turning to NFV because
of its programmability and open standards. Plus, it
frees them from proprietary network vendor


NFV versus SDN
NFV is complementary to SDN, although NFV can be implemented
without SDN. SDN allows IT and network operations to apply business
logic directly to emerging software-based networks and dynamically
introduce new services faster with lower management costs and with less
complexity. SDN unlocks overprovisioned, underutilized, and
constrained networks to gain value from them. It enables network
simplification by abstracting away complexity.
NFV and SDN can be combined to create greater value as SDN extends
to the network infrastructure the agility that server virtualization brings
to the compute infrastructure. HP foresees that functions being
virtualized today eventually become virtualized network services within
a SDN architecture.
Demonstrating in-depth integration of the two is a key requirement
fulfilled within the HP architecture.


NFV and SDN comparison
Network functions virtualization
Software-defined networking (SDN)
By leveraging standard IT
virtualization technology to
consolidate many network
equipment types onto industrystandard high-volume servers,
switches, and storage, NFV
provides a model to meet CSP
challenges around reducing capital
expenditures (CapEx), improving
manageability, decreasing time-tomarket, and encouraging a wider
SDN enables the emerging softwarebased networks that allow IT and
network operations to apply
business logic directly and
dynamically to introduce new
services faster, lower management
costs with less complexity, and
commoditize many network
functions. SDN is an enabling
technology that challenges current
practices by decoupling the control
plane from the data-forwarding


NFV and SDN comparison


Introduction to
4. Data center and cloud
SDN solutions


From enterprise to service providers, IT customers
require tailored network virtualization solutions that fit
specific business outcomes. To meet this unique
requirement, HP provides a three-part offering that
frees you from legacy networks, improves your service
velocity, and lowers cost.
Built on the industry’s most comprehensive network
virtualization portfolio and backed by world-class
service and support, HP is uniquely positioned to
navigate you safely through this technology and business


Each of the solutions you see in Figure provides an open, standards-based
foundation for customers to (optionally) move toward broader SDN application
deployment. HP’s open SDN ecosystem and HP SDN App Store help customers to
quickly drive bottom-line value and improve end-user application experience.


Virtual Cloud
Networking (VCN)


Virtual Cloud Networking (VCN)
In June 2014, HP announced the Virtual Cloud Networking (VCN)
SDN application and its integration into HP’s Helion OpenStack®
distribution. VCN offers an OpenStack Neutron distribution with
unique enhancements such as multihypervisor support, distributed
virtual routing, HA, Virtual Extensible LAN (VXLAN) gateway,
VPN as a service (VPNaaS), and security group enhancements. It
also provides improved scalability. Many of these enhancements
have been contributed back to the open source community.
HP is now a top contributor to OpenStack Neutron, with ongoing
work planned to support additional hypervisors, bare metal
functions, service chaining, and SDN application integration to
support network and security operations.


Important. OpenStack conceptual architecture


HP Virtual Cloud Networking
Cloud computing is increasingly attractive to businesses because of
the agility, cost savings, and efficiency it provides. However, these
same businesses are finding themselves limited by the complexity
and disjointed architectures of legacy networks: not only are legacy
networks complex, they are also slow to provision new services and
are labor intensive. They do not have the agility to meet the
challenges of “The New Style of Business,” characterized by the
interrelated trends of cloud, security, mobility, and big data.
To meet the constantly evolving needs of your customers, you need a
network infrastructure that works with you, not against you—one
that not only is agile enough to deliver robust and scalable services
but also simple enough to lower costs and limit complexity.


HP Virtual Cloud Networking
The HP VCN SDN application can help you do just that. The HP VCN
SDN application is the enhanced networking module of HP Helion
OpenStack (see Figure), delivering network virtualization enabled by
SDN and orchestrating the entire data center infrastructure.


HP Virtual Cloud Networking
The VCN SDN application
helps cloud providers and
enterprises build a robust
multitenant networking
infrastructure that is able
to deliver ready-to-use
compute, storage, and
networking. It provides:
• Scalable, secure, and
hardened enterprise cloud
• Complete access to an
open SDN ecosystem that
includes HP and thirdparty SDN applications
The HP VCN SDN application integrates with the HP VAN
SDN Controller and leverages OpenFlow to create a unified
control for the deployment of dynamic policy on both the
virtual (Open vSwitch) and physical (HP and third-party)


HP Virtual Cloud Networking
VCN provides a multitenant network virtualization service for
Kernel-based Virtual Machine (KVM) and VMware ESX
multi‐hypervisor data center applications, offering organizations
both open source and proprietary solutions. Multitenant isolation is
provided by centrally orchestrated VLAN or VXLANbased virtual
networks operating over standard L2 or L3 data center fabrics.
Bare-metal (nonvirtualized) servers and appliances can be
supported in a VXLAN environment with the addition of HP 5930
switches to provide the hardware tunnel endpoint function. In a
fully virtualized deployment, the existing data center switching
infrastructure can be retained without the need for costly upgrades.
OpenFlow 1.3‐enabled devices are recommended to realize the full
benefit of SDN‐based data center applications.


HP VCN components
To understand how HP VCN works, you must understand its
components, which you see illustrated in Figure.


HP VCN components
The HP VCN application itself resides on the HP VAN
SDN Controller as an internal application. It can
consume all of the controller services, such as flow
management, packet listening, business logic
processing, data persistence, and HA.
The application uses RESTful APIs to communicate
with an HP VCN Plug-in on the OpenStack controller.
HP offers an enterprise-ready OpenStack-compliant
controller, which you will learn about in a moment,
but customers can install the HP VCN Plug-in on any
OpenStack controller they choose.


HP VCN components
The HP VAN SDN Controller provides the Neutron L2 Agent and L3
Agent APIs. These APIs let HP VCN communicate with VCN agents
installed on virtual hosts. Each compute node hosting VMs requires
a VCN Compute Node (CN) agent, and each network node hosting
virtual network appliances requires a VCN Network Node (NN)
When HP VCN receives provisioning requests from the OpenStack
controller, HP VCN uses its built-in business intelligence and
knowledge of the infrastructure to construct a plan for executing the
request. It then programs the proper settings by making RESTful
API calls to the CN and NN agents. It can use platform services to
alter traffic flows on the physical infrastructure, if required.


HP-VMware networking
solution (NSX


HP-VMware networking solution
(NSX Federation)
The HP-VMware networking solution delivers an
interoperable SDN and network virtualization
solution that provides customers unified
automation and visibility into virtual and physical
networks in Vmware centric data centers. The
solution combines the HP VAN SDN Controller
and VMware NSX network virtualization
platform through federation APIs to deliver SDN
automation across physical and virtual data
center networks.


HP-VMware networking solution
(NSX Federation)


HP-VMware networking solution
(NSX Federation)


HP-VMware networking solution
HP and VMware are collaborating to provide the industry’s first
interoperable SDN solution. As illustrated in Figure, the solution federates
the HP VAN SDN Controller with the VMware NSX network virtualization
platform to provide customers with an integrated approach for automating
their physical and virtual network infrastructures.


HP-VMware networking solution
(NSX Federation)


HP Distributed Cloud
Networking (DCN)


HP Distributed Cloud Networking (DCN)
HPE Distributed Cloud Networking is a
complete and comprehensive networking
solution that unifies Private, Public, and Hybrid
clouds by virtualizing existing data centers and
allowing network resources to be easily
controlled with a la carte management platforms
such as Openstack, Cloudstack or vCenter.
Leveraging programmability of business logic
and policy engine, the platform allows an open
and agilesolution that scales to solve the
stringent needs of multi-tenant datacenters.


HP Distributed Cloud Networking (DCN)
The solution is comprised of a network layer both physical and
virtual, a control layer with federated controllers that can
interconnect using MP-BGP within and across data centers, and a
service directory layer with advanced programmable policies and
analytics framework where IT administrators can define,
visualize and control the network without being burdened by
network implementation details. They can implement security,
load balancing, and user access policy with a high level of
abstraction, instead of manual CLI and IP address assignment.
Once defined, those policies can dynamically be used to govern
network behavior on an as-needed basis triggered by compute
instance creation, migration and deletion. It also provides
extensive service insight with an analytics engine based on
Hadoop technology that collects and stores per-tenant, per-VPN,
per-VM statistics.


HP Distributed Cloud Networking (DCN)


HP Distributed Cloud Networking (DCN)
Figure illustrates the antithesis of what service providers and large organizations
need to build distributed, scale-out, multidata center environments in a simple,
standard, and agile method using SDN and networking virtualization. HP DCN, on
the other hand, is exactly what they need. It is a complete and comprehensive
networking solution that virtualizes existing data centers and allows network
resources to be easily controlled with management platforms such as HP
CloudSystem, OpenStack, CloudStack, or vCenter.


HP Distributed Cloud Networking (DCN)
The solution is composed of a network layer both physical and virtual, a
control layer with federated controllers that can interconnect using Border
Gateway Protocol-Multiprotocol (BGP-MP) within and across data centers,
and a service directory layer with advanced, programmable policies, and
analytics where IT administrators can define, visualize, and control the
network without being burdened by network implementation details. They can
implement security, load balancing, and user access policy with a high level of
abstraction, instead of manual command line interface (CLI) and IP address
assignment. Once defined, these policies can dynamically be used to govern
network behavior on an as-needed basis triggered by compute instance
creation, migration, and deletion. It also provides extensive service insight with
an analytics engine based on Hadoop technology that collects and stores per
tenant, per VPN, and per VM statistics.
HP DCN provides business agility while controlling infrastructure costs. It uses
embedded advanced networking features that select the fastest path to help
optimize bandwidth usage and latency automatically while decreasing the
bottleneck of external routers or gateways.


HP Distributed Cloud Networking (DCN)
As Figure below illustrates, HPDCN provides a foundation
that enables service providers and large organizations to
manage a distributed, multidata-center environment in a
simple, open, and agile way using software-defined
networking and network virtualization. With underlay and
overlay networks fully integrated, you can lower total cost
of ownership (TCO) by combining intelligent workload
management with policy automation.
DCN is also accelerating communication service providers’
journeys to NFV by optimizing network resources,
increasing agility, and speeding time-to-market through
dynamic, service-driven configuration.


HP Distributed Cloud Networking (DCN)


Unify private, public, and hybrid data
centers with SDN
Through SDN and
network virtualization, HP
DCN enables network
administrators to control
the distributed network
environment from one
central location, whether
the organization
incorporates private,
public, or hybrid data
centers. It:
• Supports policy-based
network provisioning to
automate and speed
application deployments
• Deploys distributed,
data center networks in
minutes vs. months


Operate multiple data centers into a single point of
• HP DCN has plug-ins available for OpenStack,
CloudStack, HP Cloud OS, and HP Helion for increased
flexibility in your choice of environments.
• New applications are onboarded quickly through
application-centric service definition and creation that is
decoupled from network-centric implementation details.
• Perapplication views for self-service establishment of
network services are automatically in line with enterprise
security policies and the application’s business logic.


Provides business agility while controlling
infrastructure costs
• HP DCN is a full layer 2 to layer 4 virtualization
platformthat optimizes the network by removing
• It automatically selects the fastest path to optimize
bandwidth usage and latency while decreasing the
bottleneck of the external router or gateway.
• Policy functions align network deployment with
application needs in an automated way, offering users the
ability to configure the network in an application friendly


DCN: Solving the following table stakes
What is needed to support such networking functionality? As
Figure illustrates, the answer is this:


You learned how SDN helps enhance and improve
networks. You learned the needs driving SDN and
reviewed some initial use cases of OpenFlow and SDN.
You learned some of the fundamentals of SDN and
OpenFlow and learned how SDN abstracts the network
infrastructure, allowing software developers to
programmatically implement business policies.
You also reviewed some differing viewpoints of what SDN
is and then learned some of the advantages of an open
standards based, multivendor OpenFlow-enabled SDN.


You were introduced to various HP SDN applications for the
campus, data center, and cloud. You learned about the HP SDN
App Store, the various circles available in the SDN App Store,
and various applications available in the App Store.
We briefly
discussed the
and solutions:
• HP Network Protector SDN
• HP Network Optimizer SDN
Application for Microsoft Lync
• HP Visualizer SDN Application
• HP VMware NSX federation
English     Русский Правила