Architecture & Service Orchestration for Multi-Tenant Cloud Services

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Architecture & Service Orchestration for Multi-Tenant Cloud Services BRKSPG-2305

1


Session Overview

The Goal of This Session Is to Help Participants

Understand Data Center/Cloud virtualization, multi-tenancy, service tiering concepts.

Learn about various components of the Cisco VMDC solution for IaaS Cloud Infrastructure and Orchestration

Understand the need for and benefits of Service Orchestration in the Cloud, with BMC CLM and Cisco CIAC


Agenda Cloud Overview

VMDC IaaS Cloud Solution ‒ Scalability

‒ Multi-tenancy

‒ Security/Isolation

‒ Service Tiers

Service Orchestration ‒ Overview, Framework

‒ BMC Cloud Lifecycle Management

‒ Cisco Intelligent Automation for Cloud

‒ Service Assurance


Glossary VMDC: Cisco Virtualized Multi-Tenant Data Center IaaS: Infrastructure as a Service SaaS: Software as a Service DC: Data Center FCoE: Fibre Channel over Ethernet SAN: Storage Attached network NAS: Network Attached Storage UCS: Unified Computing System VM: Virtual Machine VRF: Virtual Routing & Forwarding DR: Disaster Recovery CMDB: Configuration Management Database BBNA: BMC BladeLogic Network Automation BBSA: BMC BladeLogic Server Automation CLM: BMC Cloud Lifecycle Management VDC: Virtual Data Center CIAC: Cisco Intelligent Automation for Cloud

Cloud Overview


Why CloudPotential Benefits

Organizational flexibility

Reduced cost of infrastructure

Agility and rapid deployment

Relocation of IT resources

Support new business models

Private

Public Hybrid

Community

vPrivate

Private Government to Cloud Centralized Services

Reduce hardware, improved security & application control

Public Enterprise to Cloud

HR Processing Reduced hardware, elastic and

efficient


Cisco Converged Infrastructure

Foundation: Cisco Converged Infrastructure Service Portal/ Service Catalog

Service Application Programming Interface

Service Orchestration

OSS

BSS

NMS

Compute

Network Storage

Data Center + Next Generation Networks

Virtualized Resources


Scalability Add Capacity For System, Not Single Service

Capa

city

Con

sum

ed

Time

Service 1

Service 2

Service 4

Service 3

+

Available Capacity

Added infrastructure is dynamically discovered, and comes online to meet any required demand.


Built for On-Demand Service Orchestration

A multi-domain configuration abstraction layer that sits on top of the data center infrastructure.

Enables a portal based configuration model in which the subscriber can

Pick from a limited number of customized service options

Host applications as virtual machines.

Based upon these picks, configuration actions are executed to the device(s) that make up the service as represented within the customer facing portal.

Storage Compute Network & Security

Resource Management & CMDB

Portal

Orchestrator

IaaS Cloud: VMDC Solution


Integrated Compute Stack – Vblock,

FlexPod, etc.

Infrastructure Abstraction / Management Software

Infrastructure Orchestration Software

Assurance S

oftware

Cloud Services / Applications / Whole Offers

Scalable, Multi-Tenant L2/3 DC Networking

Security Features L4-7 Services

Scalable, Multi-Tenant L2/3 DC Networking

Security Features L4-7 Services

Data Center Interconnect


FlexPod, etc.


FlexPod, etc.


FlexPod, etc.


FlexPod, etc. Integrated Compute

Stack – Vblock, FlexPod, etc.


FlexPod, etc.


FlexPod, etc.

VMDC Infrastructure

VMDC Orchestration / Management

Cisco VMDC – IaaS Cloud Solution


Cisco Virtualized Multi-tenant Data Center Solution

A validated reference architecture for IaaS Public and Private Clouds – Cisco and Partner platforms

A blueprint enabling customer to readily deploy services or applications

An architecture that combines integrated compute stacks, unified data center and data center interconnect into an end-to-end architecture

A prescriptive package available to customers as a whole offer

Multiple phases, evolving with new Platforms and Technologies


Cisco VMDC Solution Phases Validated and Published:

- VMDC 1.0 DIG - VMDC 2.0 Large Pod DIG - VMDC 2.0 Compact Pod DIG - BMC CLM 1.01 DIG - VMDC Hybrid Cloud with VMware vCloud Director - VMDC 2.2 DIG - VMDC Data Center Interconnect with VPLS (White Paper) - BMC CLM 2.1 DIG

Currently being validated: - Fabric Path (Proof of Concepts) - VMDC 2.2 Security additions (IPS, vApp based Firewalls) - New L3 designs/form factors (vApp based routing)


Management Cisco UCS Manager

VMware vCenter 4.1 BMC CLM 2.1 (BBNA, BBSA, Atrium, Remedy)

Compute Cisco UCS 6140 Fabric Interconnect

Cisco UCS 5100 chassis + B200-M1/M2 blades * Cisco Nexus 1000v VMware vSphere 4.1, ESXi, Virtual Security Gateway (VSG)

Network Cisco CRS-1, ASR9000

Catalyst 6500 VSS Cisco Nexus 7000 Cisco Nexus 5000 Cisco Catalyst 6500 DSN Cisco ACE30, FWSM (or ASA-SM) Cisco ASA 5585X-60

Cisco IPS-SM (VMDC 2.2+)

SAN Cisco MDS 9513, 9228

Storage EMC Symmetric VMAX (SAN)

Netapp FAS 6080 (NAS)

* B200, B230 M2 blades recommended

Storage

SAN

Management

Compute / Virtual

Network

Network

VMDC 2.2 Platforms


Agg/Access

IP/MPLS

Aggregation/Access

10GE

FCoE

FC

Services

Core

Virtual Access /

Compute

Nexus 7010

SAN

Nexus 7018

Nexus 1000

DSN Cat 6500 FWSM/ASA-SM, ACE, ASA5580

MDS 9500

Nexus 7018

UCS blade chassis

Wan/Edge ASR9k

EMC VMAX

UCS 6140

ESXi

Outside VRF

Inside VRF

20G 20G

40G 40G

VMDC 2.2 Topology


Service Orchestration Dynamic application and reuse of resources

Automated service orchestration and fulfillment Integration with Network Containers

Rapid Self Service IT

High Availability Carrier Class Availability

Platform/Network/Hardware/Software Resiliency Minimize the probability and duration of incidents

Focus on your business, not fighting fires

Differentiated Service Support Design logical models around use cases

Services-oriented framework Combines compute/storage/network

Resources are applied and tuned to meet needs

Modularity Pod based design

Scalability framework for manageable increments Predictable physical and cost characteristics

Streamline Turn-up of New Services

Secure Multi-tenancy Shared Physical Infrastructure

Tenant Specific Resources Use Cases

Comply with business policies

Building an IaaS Infrastructure Architectural Pillars


POD Concept: DC System Scale Through Modularity

Access Pod: Collection of compute nodes and network ports behind a pair of access switches

Management Pod: Access Pod dedicated to housing of back-end management compute nodes

Pod: Repeatable storage, compute and network infrastructure including L2/L3 boundary equipment. The pod is the L2 work-load domain.

4x10GE

4x10GE

4x10GE

4x10GE

Compute Cisco UCS 6100 Fabric Interconnect

UCS 5100 Blade Server VMware

vSphere

Nexus 1010

VMware vCenter

Compute Pod: Collection of compute nodes behind a single management domain or HA domain

Simplified capacity planning Ease of new technology adoption Ease of Fault isolation Consistent and efficient operation


Pod Subsystem: ICS Concept

ICS: Collection of pre-integrated storage, compute nodes and network ports behind a pair of access switches. Storage may be 10GE or FC attached (i.e., below).

Risk Mitigation Support for Vblocks and Flexpods Support for future ICS options ICS’s not mandated: flexibility to support alternative storage solutions


POD Scalability

. . . . . . . .

NAS

SAN

POD 6

UCS 6140

NAS

SAN

POD 1

UCS 6140

Block = 64 servers. POD = 6 Blocks = 512 servers. 6 PODS in DataCenter Minimum 1 POD of 512 servers = 16,384 VMs Maximum 6 POD of 3,672 servers = 98,304 VMs

512 server, 16,384 VMs 512 server, 16,384 VMs

Core Nexus 7010

Access/Aggregation Nexus 7018

Access/Aggregation

Nexus 7018

Maximum scalability is a function of Core port density: 7018 would allow for further L2 scale.


POD Sizing Considerations

Network Traffic throughput Number of Tenants (VRFs), VLANs Oversubscription factors High Availability (redundant links) Port and Line-card/Chassis density Platform scalability (VRFs, VLANs, Interfaces) Ratio of Service Tiers (Gold:Silver:Bronze)

Security & L4-7 Services Service Modules or Appliances Type and Number of Services Number of Virtual Contexts (Modules) Number of VLANs tied to service modules Application throughput

Storage SAN/NAS ports/links Storage throughput, oversubscription, IOPS Number of VSAN, Zones Storage Array Density (disks, ports) Distributed or Centralized Storage

Compute Number of VMs per tenant, per VLAN VM to Core ratio, Memory size per VM Number of links, oversubscription factors Ratio of Service Tiers (Gold:Silver:Bronze) Number of blades in a UCS cluster Number of blades in a ESX cluster Number of VMs per blade, per cluster, per Pod VCenter limits on VM’s, Servers, DataStores, Ports


System Budgetary Considerations Nexus 1010 Scope

‒ 64 VEMs per VSM

‒ 2048 Active VLANs per VSM

‒ 2048 vEths per VSM

‒ 2048 Port-Profiles per VSM

‒ 4K Mac Addresses per VLAN

‒ 16K Mac Address Table per VEM

N1kV ‒ 64 ESX/ESXi hostrs per VSM

‒ 2048 virtual Ethernet ports per VMware vDS, with 216 virtual Ethernet ports per physical host

‒ 2048 active VLANs

‒ 2048 Port Profiles

‒ 32 physical NICs per physical host

‒ 256 PortChannels per VMware vDS, with 8 PortChannels per physical host

VMware 4.1 Scope ‒ # Hosts in VMware Cluster

‒ # Other Network dependencies based on DVS or Nexus 1010

‒ http://www.vmware.com/pdf/vsphere4/r41/vsp_41_config_max.pdf

Nexus 5K Scope ‒ 4K VLANs

‒ 16 K or 32 K MAC

Nexus N7K Scope ‒ 4K VLANs

‒ 128K MAC

‒ vPC bounded scope

UCS Scope ‒ 1000 VLANs

‒ 14k (Gen1) or 32k (Gen2) Logical STP Ports (Release 2.0)

‒ VIC JMTU Limits for Uplinks – 10 with ESXi 4.0 U1

‒ VM-FEX vNICS: 56/112

NAS Scope

‒ Vendor Specifics


Architecture Fundamental: Multi-tiered Redundancy PE/WAN Edge

Aggregation/ Virtualized Access

Core

Virtual Access Edge

Link Redundancy without STP

Single Logical Links to

aggregation

Supervisor Module

Redundancy

Fabric Redundancy

VEM MCEC Uplink Redundancy

VM #4

VM #3

VM #2

Nexus VSM

NAS SAN

Virtualized Node Redundancy

Data and Control Plane

Redundancy at L2 and L3

Data and Control Plane

Redundancy at L3

Storage Controller

Redundancy

NAS SAN

Virtualized Aggregation

Fabric Redundancy

Collapsed Aggregation/Access Model* Collapsed Core/Aggregation Variant* *Services Core not shown. Partial view of collapsed core/agg.


VMDC Architecture Fundamental – Tenancy Containers for Cloud Consumers

Premium

Palladium

“Raw” (DCI); other/future

Evolving flexibility to support more complex

service models


VMDC Consumer Model Security Functional Review Baseline: Use logical segmentation (VLAN, ACLs,

PVLANs, VRFs) to map security domains to each consumer, separating compliant from non-compliant systems.

For Public Cloud, separate front-end Private and Public VRFs

Protected VRF for Layer 3 services ‒ Default gateway for virtual machines

Dedicated ASA virtual firewall context to enforce stateful security services on ingress and egress data center tenant traffic ‒ Allows for zoning

VSG security services applied across the virtual compute layer to enforce VM security policies

Interface configurations are not mandated

Front End Zone

VRF

Cloud Consumer “X” Zone 3

Zone 2 Zone 1

vPath

Protected VRF (control point)

Nexus 1000v

Shared Zone

VSG

ASA Context

Zone 3 Zone 2

Zone1

vPath Nexus 1000v

Shared Zone

VSG

Non-virtualized Servers

ACE Context

ACE Context


WAN Edge

Secured Access MPLS L2/L3 VPNs SSL & IPSec VPNs Infrastructure security to protect device, traffic plane, and control plane.

Aggregation/Core NAS Storage

Device virtualization for control, data, management plane segmentation VSD + NetApp vFilers (NAS)

Services

Server Load Balancing masks servers and applications Application Firewall mitigates XSS, HTTP, SQL, XML attacks

Access

Enhanced Layer 2 Security Access List, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs

Compute/ SAN storage/

MDS Fabric

Cisco VSG/N1K Application security

SiSi SiSi

NEXUS 1000v

NAS

Secure Multi-tenancy


Public/Shared

VRF

vPath

Protected VRF (control point)

Nexus 1000v VSG

ASA Context (per tenant)

Public Zone (DMZ) Protected FE Zone 1 Zone 2

Sub-Zone W Sub-Zone X

Sub-Zone Y Sub-Zone Z

Private (Tenant VRF)

Less Trusted Zones

Front-end Zones Back-end Zones

Front-end Tenant Perimeter

Back-end Tenant Perimeter

Back-end Management Perimeter

VMDC Consumer Model Logical Security Perimeters and Zones

Note: RA VPN Concentrators not shown


Model of differentiated service “tiers” in VMDC (Simplified)

Bronze

No Services Best Effort

Silver

LB Medium Bandwidth

Gold

LB/FW/Other High Bandwidth

Premium

Multimedia SLA VoIP/Video Low Latency Traffic

Tenants can mix and match to build a complete “data center” and support multiple application types


QoS is a Fundamental Requirement for Differentiated Service Support QoS provides the means for fine-tuning network performance to

meet application requirements

QOS enables delay and bandwidth commitments to be met without gross over-provisioning

QOS is prerequisite for admission control

Being able to guarantee SLAs is a primary differentiator for SP vs. public Cloud offerings ‒ QOS enables differential SLAs to be supported efficiently


Use Case Example: Tenant type mapping to Traffic Service Class

Tenant types mapped to Traffic service classes as shown in table.

Premise is that a “Gold” tenant is running business critical data traffic + multimedia traffic from his virtual machines within the cloud.

Low Latency class is used for VoIP application for example.

Call Control class for supporting VoIP/signalling.

Business Data classes have bandwidth guaranteed per tenant. Each tenant is policed at agreed BW, and extra traffic is marked down. Gold has higher BW guarantee than Silver. Provisioning rules to ensure that commitments can be met.

Standard Data class is shared between all bronze class tenants. Besides a small amount reserved across all tenants, any unused bw is available for this class.

Tenant Type Traffic Service Classes SLAs

Gold

Low Latency (VoIP) Low Latency

Call Control BW Guarantee

Business Critical Data BW Guarantee

Silver Business to Business

Data BW

Guarantee

Bronze Standard Data Available/Share

d BW


VMDC Service Level Agreements Within the Provider DC Qos Domain

PE Southbound SLA SLA per tenant per class

i.e. aligns with NGN commitment

HQoS to perform egress shaping to tenant aggregate

Nexus 1000v Northbound SLA

SLA per VNIC per VM

Or per class per VNIC per VM

Ingress policing + CBWFQ on egress (uplinks)

Aggregation/ Access

Compute (includes Nexus 1000v)

vPC

vPC

4x10GE 4x10GE

vPC

Services MEC MEC

Core Data Center Edge

WAN Edge / DCI

Per tenant per class

(per class) per VNIC per VM


Standardized POD design, baseline set of services in POD – homogenous, repeatable

Repeatable Physical and Logical constructs that can be abstracted (Service Tiers/bundles, Network containers, OS versions) – Services Catalogue

Leads to simpler Orchestration – container, service tiers/bundles, OS versions

Minimize Orchestration touch points in the network –consistent workflows

Identify scale limits within each layer of the POD – for Resource Pools, and Capacity/Resource Management

Standardize across multiple Data Centers – DC Interconnect, Workload Mobility, Disaster Recovery.

Standardized Services Models


SVIs SVIs

Fabric Path Validation Examples: Typical Data Center Design

Two Spine Design Details

L3

SVIs/routed ports provided by M1 or F2 modules

Active Standby

HSRP

HSRP between agg switches for FHRP

Run VPC+ for active/active HSRP

VPC+

Nexus 7000 F1 or F2 modules for EoR/MoR access

Nexus 5548/5596 for ToR access

Direct-path forwarding option

Easily provision parallel bandwidth

FabricPath core ports provided by F1 or F2 modules

FEX

L2/L3 boundary


SVIs SVIs

Fabric Path Validation Examples: Switched Fabric Data Center Design Single Router Pair (FabricPath-Connected Leaf)

L3

Layer 3 Link Layer 2 CE Layer 2 FabricPath

FabricPath

VPC+

VPC+ Active Standby

HSRP

VPC+

…

FabricPath spine with F1 or F2 modules provides transit fabric (no routing, no MAC learning)

FabricPath core ports provided by F1 or F2 modules

HSRP between L3 services switches for FHRP

Run VPC+ for active/active HSRP

SVIs for all VLANs on leaf L3 services switch pair (provided by M1 or F2 modules)

All VLANs available at all access switches

L2/L3 boundar



Cloud Unified Reference Framework


CMDB

Infrastructure Architecture Abstraction (Includes EMS and Domain Managers) Service Catalogue Asset Inventory

Mappings / Relationships Human Resources

Infrastructure Management Service Delivery Service Management

Optimization Selection (SDLC/BCP) Quality Cost SLA

Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO

HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance/Avail.Window

Audits Enablement (On/Off) Security and Governance CapEx/OpEx (Time Unit Hrs) Penalties

Operations Fulfillment Assurance Metering and Billing Commitment

Technology Architecture Network Compute Storage

End-to-End Security

End User Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA


Cloud Management Interface Layers

Business Service Mgmt

CMDB Service Catalog Accounting & Chargeback

SLA Mgmt

Server Infra Mgmt

Orchestration Virtual Machine Services

Domain Tools Network Infra Mgmt

Storage Infra Mgmt

ITSM Tools

Order Fullfilment

SLA Reporting

Customer Care

ITSM Mgmt

Domain Admins

Subscriber

Resource Mgmt


Service Catalog

Cloud Service Abstractions Network Options Tenant segmentation Service Tiers IP address mgmt Perimeter security Application port security QOS Web service offloading SLB Services

Multi-site Burst capacity Change mgmt DR

Storage Options IOPS Capacity mgmt Service classes RAID

Snapshots Replication

VM Size Options CPU, memory, Disk Placement Multi-tier?

Packaging Options Linux, Windows, Apache My SQL vApps


Service Model Abstraction: Network Containers

Enables abstraction of the physical infrastructure & network services as a set of virtual network resources. ‒Includes port, interface labeling with service node descriptions for rich XML table abstractions

‒Resource management and placement algorithms of combined services (VLANs, VRF’s, Virtual Context’s)

‒Mapping of the VM’s to Network Containers via the Nexus 1K DVS

‒Custom macro’s for ACE, FWSM, ASA, Nexus, Catalyst 6K

Benefits: ‒Simplified yet rich differentiated service definitions at the portal layer

‒Scalable pod designs with VLAN, VRF conservation


Web DB App

Web DB App

Customer Red

Customer Green

IP/NGN Backbone

Core

Aggregation

WAN Edge

Services

Compute

Physical Infrastructure

(shared)

Virtual Networks (per tenant)

Tenant Containers


VMDC 2.0 VMDC 2.1 VMDC 2.2 Silver Gold Palladium Expanded Bronze

L2

L3

FW

LB

LB

Public Zone

Private Zone

L2

L3

FW

LB

LB

vFW

vFW

FW

Protected Back-End

Protected Front-End

L2

L3

L3

vFW

LB

L2

L3

L3

vFW

FW

L2

L3

L3

vFW

VMDC Validated Tenant Containers


BMC Cloud Lifecycle Management Simplifies and Automates Hybrid IT Management

Customers, Suppliers, Partners, and

Employees

• Orchestrates provisioning of network, compute and storage for delivery of services and applications on demand

• Dynamic allocation of internal and external shared resources based on policy

• Support Multi-Sourcing for infrastructure, software, and IT services

• Optimize resource utilization based on business requirements

Physical Hybrid Public Private Virtual

Provision & Configure

Monitor & Operate

Plan & Govern

Request & Support

Integrate & Orchestrate


Virtual Multi-Tenant Data Center Architecture

Integrated Compute Stack

Servers Storage

Secure Network

Containers

Networks

• Provides an end-to-end automated lifecycle management solution for cloud based IT hosting environments

• BMC has released the 2nd Generation Cloud Lifecycle Management Platform

• Integrated full-stack cloud services – from the network to applications

• Integrated policy definitions to govern multi-tenancy, security, and make intelligent decisions on placement of provisioned services

• Provides a complete Self-Service, Service-Catalog driven platform for Automation, Orchestration and Management

• “Day 2 management” – performance, compliance, security

Operational Repository

Map to CMDB

User Request Option 1

Option 2 Option 3

Service Catalog

Service Blueprint

Design Services & Options

Translate to Business Offerings

VXI, HCS, IaaS

Completes a Service Request

FlexPod Vblock

Network Services

Resource Management

Service Governor

Service Catalog Service

Blueprint Network Blueprint

Storage

BMC Cloud Lifecycle Management


Virtualized Multi-Tenant Data Center CLOUD LIFECYCLE MANAGEMENT PARTNERS

Virtualization

Resource Manager

Server Automation

CLOUD / APP SERVICE MANAGEMENT

Cloud Intelligent Network

Unified Data Center

Compliance

Assurance

BMC A

trium (Integration &

O

rchestration)

Service Catalog

Self-Service Portal Network

Automation

Unified Fabric

Unified Computing

Data Center Interconnect

Network Intelligence

Secure Network Container Architecture

Pre-integrated HW

Storage

Service Governor

Orchestration Engine

BMC CLM on Cisco VMDC


Not in Current Test

BMC CLM 2.5 Components

Cloud Portals Service Catalog Service Governor

MoM

BSA (CLM component)

Compute

BNA (CLM component)

Network Atrium Orch.

(CLM component)

Storage

VMware vSphere

Virtual Compute

UCS B & C Series/UCSM

Compute

Nexus/DSN/ASA/ACE/ASR/CRS

Network

NetApp FAS

Storage

VMDC

NetApp/EMC Storage


BMC Cloud Lifecycle Management End-to-end Cloud Management Platform

Service Catalog

Cloud Service Delivery

Resource Management

Management & pooling of infrastructure resources

Policy based placement and mapping of service to cloud

resources

Modeling of multi-tier services

Service Catalog

Service Blueprints

Service Governor DML

Resource Manager

Mon

itorin

g

Orc

hest

ratio

n

cDB

Policy

Cloud Self Service


CLM User Roles Support for Key Users of the Cloud

Cloud End User •Developers & Testers •Application Owners

Org & Tenant Administrators •System administrator responsible for their “slice” of the cloud

Cloud Administrators

•Administrators of cloud environment

Requires: Fast and easy way to provision and manage services to support business projects

Require: Easy way to manage infrastructure networks and services for their organization

Require: Managing all cloud related capabilities including on-boarding resources, setting placement policies, on-boarding customers, and defining cloud offerings

My Cloud Services Portal

Cloud Admin Portal


Network Resource Details Onboard Pods & Configure Network Containers

Pods ‒ Represent a portion of the cloud bound

by a set of physical network equipment – routers, firewalls, load balancers

Network Containers ‒ Represent per-tenant network segments

of the cloud used to isolate workloads or tenants based on specific policies/rules

‒ Can be thought of as a “virtual data center”

Network Zones ‒ Represent workload execution

environments used to isolate workloads based on specific policies/rules

‒ Typically driven by security and performance requirements

Network BMC Network Automation

3rd Party External Resource Providers

Cloud Provider API


Service Catalog Business definition of service offerings - seen by End-Users

• Define pre-packaged offerings or allow users to select from a-la-carte menu • Entitlements of service offerings based on tenant, user, or service type • Integrated service pricing; continuous metering; change approval • Post Deployment actions allow define actions that can be taken on service instances

once provisioned (add backup, monitoring, compliance, etc)

Service Offering •Sharepoint – Small/Medium/Large ($$$) •Exchange – Bronze/Silver/Gold ($$$$) •LAMP/WAMP Stack ($$) •Windows/Linux Server, etc ($)

Service Options 2

Post Deploy Actions

Anti-virus software ($20 per month) OS patching ($15 per month) Application monitoring ($10 per month) Monthly Backup ($50 per month)

3

1

Add Software ($$$) Modify Memory ($$) Modify CPU ($$$)


Service Blueprint Technical Definition of Service Offerings – Cloud Admin

• Service Definition • Define functional definition of service: single server to multi-tier applications • Select OS, software packages, and network connections for service • Integrated Definitive Media Library for centralized software package repository

• Service Deployment Definitions

• Define one or more ways to deploy a service (virtual, physical or public cloud) • Represents resources required for operation of a given Service • Composed of compute, storage, & network (load balancers/firewall rules)

Deployment Definition 1 “All-in-one” Configuration

Deployment Definition 2 “Tiered” Configuration


Service Blueprints My Services Portal

Tying Service Offerings to Blueprints

End User Cloud Admin

DML

Create Sharepoint

Small

Medium

Large

Sharepoint provisioned on single VM 1 CPU, 1GB Memory, 20GB Disk

Sharepoint provisioned on single VM 2 CPU, 4GB Memory, 50GB Disk

Sharepoint provisioned on 3 VMs Web Tier – 1 CPU, 2GB Memory, 20GB Disk App Server – 2 CPU, 4GB Memory, 100GB Disk DB Server – 4 CPU, 8GB Memory, 500GB Disk

Request Sharepoint

Select Large Deployment $100 to deploy, $50 a month

Optionally Select Monitoring $50 a month - additional

Submit Request $100 to deploy $100 a month

Service Catalog


Service Governor Rules for intelligent placement across distributed cloud resources

• Intelligent placement decisions based on admin defined policies, examples include:

• Service Levels • User Role • Compliance • Location • QoS attributes • Tenant

• Advanced tagging capabilities to match services to

the right underlying cloud resources

• Support for secure multi-tenancy and multiple network zones, placing multi-tier applications in the appropriate security zone and network container

Service Governor

End User (ABC, Inc)

Exchange Service • SLA: Gold • PCI Compliance

Tag: SLA=Gold Tag: Compliance=PCI

Tag: SLA=Gold Tag: Tenant=ABC

Network Container

Compute Pool


Service Governor Details Ensure proper usage of cloud resources

Gold Silver Gold Silver

Cluster 1 Cluster 2 vRP 2 vRP 1

Policy: Capacity Based

Policy: First Fill

Filer 2 SSD

Filer 1 SATA

Pod

Network Container 1

Network Container 2

Compute Network Storage

Service Blueprint

End User request data

Service Governor

Define policies that determine how end user requests get mapped to

underlying resources

• Auto-selection of compute, network & storage pools as defined by policy

• Tenants, service quality, performance, etc (customer defined attributes)


CLM Workflow End-to-End Flow of New Request

Service Catalog

Service Offering Self-service Portal

Service Governor

Makes Placement Decision

Maps to Service Blueprint

Deployment Definition 3



DML

Compute & App Network

Resource Manager

Public Cloud Storage

Provisioning of Compute, Storage & Network

Resources available in Portal

Enterprise CMS/CMDB

Cloud DB Updates

Integration with Change, Asset Mgmt

BMC Server Automation BMC Network Automation BMC Atrium Orchestrator 3rd Party

External Resource Providers

Service Blueprint


VMDC + BMC CLM VMDC is a Cisco reference architecture for building Private or

Public IaaS Clouds. ‒CVD Design and Implementation Guides available for VMDC 1.0 (Jan2011), VMDC 2.0 (Jan2011), and for VMDC 2.2 (Nov2011)

‒Reference design with a set of Platforms, Service tiers etc.

‒Can be used as basis for more specific customer designs, platforms, service tiers.

BMC CLM validated as part of VMDC solution ‒CLM 1.0.1 validated as part of VMDC 2.0, CLM 2.1 validated as part of VMDC 2.2.

‒CLM 1.0.1 Design & Validation Guides

‒VMDC Network containers, Blueprints and Workflows, available “Out-of-box” in CLM.

‒Modified customer Cloud designs, will need customization of BMC CLM (with BMC and Cisco Advances Services)


Use VMDC as-is, or with modifications

Standardized POD design, baseline set of services in POD – homogenous, repeatable

Simplify designs for topologies, service tiers etc – simpler workflows Simple Design: 1-2 Zones, 2-5 VLANs, 1 VRF, 1VFW, 1 vSLB etc. Complex Design: 5-6 Zones, 5-10 VLANs, 3-5 VRFs, 2-4 vFWs, 2-4 vSLB etc – complex routing between tiers/zones.

Minimize number of Service Tiers, Network Containers/Zones, Service Offerings – service catalog

Simpler design leads to fewer touchpoints - efficient orchestration

Faster customization and deployment of CLM

Identify scale limits within each layer of the POD – Resource Pools, and Capacity/Resource Management

Easier to maintain, troubleshoot, identify faults, provide service assurance.

Cloud Data Center Design: Deploying VMDC + BMC CLM


• Dynamic resource re-allocation

• Capacity Management and Dynamic Placement

• Build Once, but Flexibility to Add/Modify and Define New Services

• Add additional Firewalls, Additional Interfaces/VLANs etc.

• New Flexible Container Model that defines 5 Zones in Out-of-Box CLM Network Container • Use 1 or more Zones as per your Cloud deployment needs

• Resources only assigned/created for Zones that will be needed

• Once a Network Container has been created with 1 or more Zones, additional Zones can be added or deleted as needed

• Within a Zone, Flexibility to Add/Delete additional VLAN, vFW, vSLB

• Zones inter-connected through VRFs and vFWs

Future-proofing Tenant Service Definitions Zone Based Flexibility


CLM 2.5 Flexible Container

Internet MPLS Core

CUST NW

PVT

PVT-Protected

PVT-Custom

PUB-Protected

PUB-Custom

Cisco Intelligent Automation for Cloud


Cisco Cloud Management Solutions High Scale & Multi-tenant Apps Significant Complexity Established Market Position Complex Cloud Target/SP

Others like OpenStack Leveraging partner

company assets

Automation of IT processes Integration of apps to the

business process Private Cloud/ Large

Enterprises

CISCO COMMON TECHNOLOGY Network Hypervisor

CCN, etc.

OpenStack


Cisco Intelligent Automation for Cloud

Customized workflows to promote consistent implementation of best practices and business processes

Self-service portal to order and manage services through service catalogs

Provides interfaces into the resource managers to integrate resource management into operational processes.

CMDB

IT Service Management

Tools

Cis

co In

telli

gen

t Au

tom

atio

n f

or

Clo

ud

Service Catalog and Self-Service Portal Cisco Cloud Portal

Global Orchestration and Reporting Cisco Process Orchestrator

Adapter Framework

OS/SW Provisioning

Cisco Server Provisioner

Virtualization Managers

e.g. ,VMWare vCenter

Clo

ud

Au

tom

atio

n P

ack

Hardware Managers

e.g., UCS Manager, Cisco NSM

Compute Resources

Virtual Infrastructure

Network Resources

Storage Resources

Billing/ Chargeback

Monitoring and Governance


Network Automation Pre-provisioned Storage Compute Automation

CIAC 3.0 + Adv. Networking on VMDC

IT Service Catalog and Portal

Global Orchestration

Domain Managers

Orchestration

Catalog, Order, Offer, Metering, Billing,

Chargeback

UCS Manager

VCenter

Ticketing

Monitoring

CMDB

Cisco Cloud Portal

Tidal Server Provisioner

Cisco Process

Chargeback

AD (LDAP)

Governance

Netapp FAS EMC VMax UCS B-series Blades

ESX 5, VMs

Win2008 R2 OS

DSN (Cat6500, ACE-SM, ACE30)

Nexus 5K, 7K

Cisco software OEM software Domain managers within infra. Infrastructure elements/devices

Cisco Network Services Manager


How Cisco Network Services Manager Works Automates and virtualizes infrastructure services using abstracted models and policies that define and control the characteristics and behavior of the cloud

Cisco® Network Services Manager

Consumers Users and Groups

Consumables

Data Center (Computing and Storage Resources)

Network Access and Security Services

Abstracted Business Model

Abstracted Cloud Operational Model

Abstracted Service and Topology Model

Increases efficiency and reduces the cost of delivering virtualized computing and storage

Provides dynamic policies for more Specific Control across operational Domains and vendor devices

Scales well in highly fluid cloud environments


Cisco Network Services Manager Operational Model

Cisco® Network Services Manager Engine

Abstracted Business Model

Abstracted Services and Topology Model

Abstracted Cloud Operational Model

Cisco Network Services Manager Controller



Pod/Block

Pod/Block

Pod/Block

Com

pute

Net

wo

rk

Sto

rage

Com

pute

Net

wo

rk

Sto

rage

Com

pute

Net

wo

rk

Sto

rage

NB API

JMS Transport

Network Services Manager allows administrators the ability to define the logical constructs of their cloud (access/security, tiers of service, resources and constraints).

Tenant Container

Tenant Container

Enterprise Network

Network Container

Tenant Network Container


Network Container


Network Container (Application)

Internet

Network

Container (Web)

FW

FW

MPLS Network


Common abstraction layer

Standardized API

Flexible, easily consumable interface

Ensures that network remains viable part of cloud framework

Fastest deployment and lowest operating costs for cloud

Why Cisco Network Services Manager

Orchestration Module

Automation Module

Service Catalog Service Portal

Cisco® Network Services Manager

SP VMDC Pod Enterprise VMDC

Pod

Open REST API Abstraction Layer

VNMC


Cisco Network Services Manager Northbound API

Designed specifically for cloud solutions where Cisco Network Services Manager is used to provision the network into which VMs are deployed.

Implemented as a REST style API, with XML representations.

Fully asynchronous operation, allowing for requesting long-running provisioning tasks.

To be used for integration, not direct end-user access. Most operations are intended to be executed as a single authenticated superuser.

All objects are tied to a specific tenant for traceability and future integration with metering, billing, and service assurance functions.

Described in detail in “Cisco Network Services Manager API Specification and Reference”.

VMDC Cloud Assurance


• The ability to assure SLAs is a key barrier to entry to cloud services for enterprises

• The ability to assure SLAs is a key differentiator for SPs over public cloud services, enabling SP to realise the virtual private cloud opportunity

• The challenge for SPs is how to assure the delivery of SLAs:

• That are easy for customers to understand

• Across network infrastructure, compute, storage, services and applications

• In a dynamically changing environment with high churn

• Whilst remaining cost effective

From Day-1 to Day-2 Operations


Cloud SLA Assurance Framework

Service Level Definition

Service Design

Service Management & Operations

Service optimisation

Define the service levels you are going to deliver

• Topology design • High Availability • Convergence • Quality of Service • Security

• Fault Management • Performance Monitoring • Capacity planning • Incident / problem mgmt • Remediation

• Traffic Engineering Service Provision •Admission Control •Demand Engineering

Service Definition

Service Engineering

Service Assurance


Tenant-based service-impact analysis Example: Service topology modeling integrated Service Impact & Root cause

Zenoss Cloud Service Assurance for VMDC

Service Impact Events

Ranked probable root-cause events

Service Topology

3

4

3

4


Answers: what’s really broken ?

Reduces MTTR by classifying events in probable root-cause vs. symptomatic events

Common techniques used for root-cause analysis

• Event-correlation rules

• Service topology modeling (CLSA-VMDC 2.2)

• Emerging analytics based technologies

Answers: who & how is impacted ?

Reduces MTTR by prioritizing events by business relevance and urgency

Prevents future failures by identifying service impacting technical risk

Provides data for service availability SLA reporting

Identifies whether redundancy protected the service availability

Root-cause Analysis Service-impact Analysis

Two distinct functions – but can be implemented in integrated way to answer “What really caused impact on the services?”

Root-cause & Service Impact Analysis


Orchestrated Tenant & VM On-boarding Zenoss + CIAC

73

CIAC sends the mapping of VM to Tenant to Zenoss

vPC – po50

vPC – po60

Zenoss Discovers Existing Infrastructure Before tenant is added

CIAC A tenant user requests a VM

Tenant User TEO

CIAC provisions the VM

CCP

Zenoss auto-discovers newly provisioned VM and updates the graph after tenant VM is added

The updated dependency graph

1 2

4 0 3

Zenoss API: Tenant, Service,VM


Single Normalized & Service Abstracted NBI

Nexus 7k

Nexus 1kv

Nexus 5k Cat6k – VSS ACE, ASA MDS

DC Access DC WAN Edge DC Agg/Core Virtualization

SP OSS systems (MoM, Ticketing,etc.)

VMDC Infrastructure

UCS

Storage Compute

ASR9k, ASR1k

Network Services

VMDC Cloud Service Assurance Service Assurance Manager Dozens of

VMDC device interfaces

Abstracts multiple device interfaces with single interface

Abstracts devices with services

Application based Assurance Systems (e.g. HCS Assurance)

Thousands of device events

1

1

2

2


Agenda Cloud Overview

VMDC IaaS Cloud Solution ‒ Scalability

‒ Multi-tenancy

‒ Security/Isolation

‒ Service Tiers

Service Orchestration ‒ Overview, Framework

‒ BMC Cloud Lifecycle Management

‒ Cisco Intelligent Automation for Cloud

‒ Service Assurance


Choose a Cloud/DC design that is flexible and scalable

IaaS, Application specific POD’s are key for repeatable and scalable Cloud design

Design (network, service tiers etc) should be relatively simple (not too many variations) to simplify Orchestration

Service Orchestration and self-service portals are key for elastic and on-demand Cloud deployments

Hybrid Cloud possible with offline migration into VMDC, using Data Center Interconnect and vCloud Director

Service Assurance is key for migrating to Cloud services

Cisco has validated and has CVD/DIGs for VMDC Infrastructure, BMC CLM and CIAC Orchestration. Use these as reference architecture.

Key Takeaways


Complete Your Online Session Evaluation Give us your feedback and you

could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

77


Documents

Architecture & Service Orchestration for Multi-Tenant Cloud Services