CISCO – OPENSTACK - Meetupfiles.meetup.com/...OpenStack_Cisco_presentation.pdf · Cisco Confidential 5 CISCO OPENSTACK INSTALLER – OPENING THE CLOUD Simplified installer for the

Cisco Confidential 1

CISCO – OPENSTACK


ROUTE FOR THIS SESSION •  RTT about 80 minutes

•  Chance to flush cache after 40 minutes (= leg stretch and toilet visit)

•  Path may change due unpredictable events

•  Cisco & Openstack

•  Introduction to Openstack Neutron and Nexus 1000v

•  “Advanced services”, routing and service VMs in Neutron

•  DEMO: Neutron routing using service VM

•  Cisco Application Centric Infrastructure (ACI)


WHAT OUR CUSTOMERS ARE ASKING FOR

Simplicity Agility Flexibility

CUSTOMER ASK: Can’t you just simplify this?


OPENSTACK AT CISCO

• Private, Public, Clouds

• Extend cloud model for rapid provisioning of network services

• Drive innovation through real-world use cases

Engineering

Customers

Community •  Cisco OpenStack Installer

•  Neutron Plug-ins for Cisco networking technology

•  Platform for Cisco networking, video, and mobile apps and services

•  OpenStack Foundation Board member

•  Code Contributions across Core services

•  Focus on Network Service, Compute Service and Dashboard


CISCO OPENSTACK INSTALLER – OPENING THE CLOUD

Simplified installer for the suite of OpenStack modules Works with UCS and Nexus switches

http://docwiki.cisco.com/wiki/OpenStack#Introduction


HOW CISCO USES OPENSTACK

•  “As we examined the various initiatives we’d have underway in our cloud, which would include the intermingling of physical and virtual loads as well as complex network configurations, we knew that the flexibility inherent in OpenStack would prove powerful enough to support our objectives. With OpenStack we have the ability to customize the platform and maintain significant control over our destiny.”

REINHARDT QUELLE, OPERATIONS ARCHITECT, CISCO WEBEX


NETWORK FUNCTION VIRTUALIZATION WITH OPENSTACK

NfV = Transition of network infrastructure services to run on virtualized compute platforms

DPI Firewall NAT

HTTP Optimization

Video Optimization

Compute Platform Network Appliances

SAE-GW

DPI PCRF

NAT

VM

Firewall

VM

SBC

VM

dDOS

VM

Virus Scan

VM

SAE-GW

VM

DPI

VM

CGN

VM

GGSN

VM

PCRF

VM

DNS

VM

DHCP

VM

SaMOG

VM

Web Proxy

VM

Video Opt

VM

WLC

VM

PCRF

VM

CDN

VM

Caching

VM

NMS

VM


OPENSTACK NETWORK SERVICE (NEUTRON)


OPENSTACK NETWORK SERVICE (NEUTRON)

•  Provides “network connectivity as a service” between devices managed by other OpenStack services

!  Provides abstractions and functionality needed for cloud networking

!  Provides “advanced” network services like load-balancer, firewalling & VPN

!  Why Neutron? –  Nova networking limited to certain use cases –  Provide tenants an API to build rich networking topologies –  Simplify for vendors to integrate their technology –  Foster innovation


NEUTRON MULTI-TENANT NETWORK TOPOLOGIES

External (Provider) Net 129.1.77.0/25

129.1.77.1

Physical Cisco Router

Neutron Router Tenant: Acme

ACME Private Net 1 10.15.1.0/24

ACME VM1

10.15.1.3

ACME Private Net 2 10.15.2.0/25

ACME VM2

10.15.2.3

Neutron Router Tenant: Wily

WILY Private Net 1

192.168.21.0/24

WILY VM1

192.168.21.3

WILY Private Net 2

192.168.51.0/24

WILY VM2

192.168.51.3


TIERD APPLICATION NETWORK WITHIN OPENSTACK

App

OS

VM

Dat

aBas

e

OS

VM

Web Svr

OS

VM

App Svr

OS

VM

DataBase OS

VM

Application “A” Application “B”

DataBase

OS

VM

App

OS

VM

Application “C”

Neutron Router Internet Gateway

VPN Service Service Provider Network

10.99.27.4

10.99.30.3

10.99.29.3

10.99.26.3

10.99.25.3

10.99.27.3

10.99.26.4

129.1.77.25

10.9

9.28

.3

10.99.29.4

10.99.30.4

129.

1.77

.26

129.1.77.27

cs-web-net-a

cs-app-net-a

cs-db-net-a

cs-app-net-b

cs-db-net-b

cs-app-net-c

10.99.31.3 10.99.31.4

OBJECTIVE: CREATE WHAT THE APPLICATION DEVELOPER WANTS


Neutron (core) plugin

(L2 + IPAM + …)

Software e.g., controllers

Neutron DBs

Neutron’s REST API

Neutron’s internal API (Python)

Users of Neutron

“Arbitrary” APIs (proprietary or open). Plugin dependent.

Physical devices Virtual machines Virtual devices

Routing-aaS service plugin

VPN-aaS service plugin

…

LB-aaS service plugin

…

FW-aaS service plugin

…

Neutron API server (includes plugin and extension managers)

NEUTRON RESOURCES, REST API & ROUTING

Extensions

Adds REST API & functionality

Extensions


Extensions


Plugin developers decide which

extensions a plugin should support


ANATOMY OF FREE NEUTRON PLUGINS •  There should be free plugins

Reference implementations

•  Openvswitch, Linuxbridge, and ML2 plugins

•  Plugin agent Runs on each compute node Connect instances to network port

•  DHCP agent Creates and configures DHCP servers

•  L3 agent Creates and configures routers (more later…)

•  Message Queue communication between each component of neutron

•  Database (DB) Persistent state

Neutron shares DB service and Queue with other OpenStack services

Neutron API server

Neutron (core) plugin

(L2 + IPAM + …)

Neutron DBs

DHCP agent

Plugin agent

L3 agent

Message Queue

…


NEXUS 1000V IN OPENSTACK


Nexus 1000v = A Virtual Switch

“A software based switch that runs on the hypervisor and lives in the server…”

Nex

us 1

000v


Spine Switch

Spine Switch

Leaf Switch Leaf Switch

VM VM

Hypervisor

VM VM

Hypervisor

Spine Switch

Spine Switch

Leaf Switch Leaf Switch

VM VM

Hypervisor VEM

VM VM

Hypervisor VEM

BEFORE AFTER

VEM adds another (logical) switch layer into the switch hierarchy


Virtual Machine

Server Operating System (OS)

Hypervisor

Virtual Machine

Virtual Machine

Nexus 1000V VEM

Nexus 1000V VSM

Physical (Bare Metal) Server

Physical Switch Top Of Rack Switch

Server

Server

Server

Server

Server

Server

Server

Server

Server

VEM has connection to upstream switch Provides switch ports for local VM’s

Nex

us 1

000v


VXLAN

There is another ingredient we need to talk about

(Virtual Extensible LAN)


Green servers are now located in dis-contiguous subnets?

Problem – How do you provide Layer 2

adjacency for all Green servers across the Layer 3 network?


The answer is VXLAN

It provides connectivity between Layer 2 networks across a Layer 3 network


Physical Network


Physical Network


We then setup “connections” between virtual switches

Creating our “logical” virtual network


Physical Network


NEUTRON N1KV PLUGIN

•  KVM hypervisor environment

•  VLAN and VXLAN support Can bridge between segments using VXLAN/VLAN-Gateway VM

•  Can be used with original Cisco plugin Supports auto-configuration of VLANs in Nexus ToR

•  Support VLAN trunks to VMs

•  Openstack Dashboard support

VSM VM

Cisco N1kv (core) plugin

(L2 + IPAM + …)

N1kv REST API

VEM VEM

VEM


ADVANCED SERVICES, ROUTING, & VIRTUAL MACHINES


NEUTRON ADVANCED SERVICES AND ROUTING •  Anything beyond basic L2, and IPAM

•  So far LB-aaS, Firewall-aaS, VPN-aaS

•  VPN-aaS and FW-aaS rely on “routed/embedded” insertion

•  Means service resources are associated to a Neutron router


NEUTRON ADVANCED SERVICES AND VIRTUAL MACHINES •  Virtual appliance = appliances in virtual machines

•  Lots of them nowadays

•  Virtual routers, virtual firewalls, virtual gateways, …

•  Often multi-service capable

•  Easy to scale, multi-tenancy gateway

•  Such VMs are called Service VMs

Attractive to implement advanced services using VMs


EXAMPLE: CLOUD SERVICE ROUTER 1000V (CSR1KV) •  Cisco IOS Software in Virtual Form-Factor

UCS Server

KVM Hypervisor Virtual Switch

VPC/ vDC

OS

App

OS

App

CSR 1000V

Programmability

•  RESTful APIs for Automated Management

Perpetual, Term, Usage-based Licenses

•  Elastic Capacity (Throughput)

Single-tenant WAN Gateway

•  Small Footprint, Low Performance

IOS XE Cloud Edition

•  IOS XE features for Cloud Use Cases

Infrastructure Agnostic

•  Server, Switch, Hypervisor

Rich Network Services

•  Routing, VPN, DC Interconnect, etc…


NEUTRON ROUTING USING SERVICE VM


•  Resources (abstractions) Network Port Subnet ----------- Router Floatingip

•  Operations via REST API Create, Update, Delete Set-/Clear-gateway Add-/Delete-router-interface Update routes

NEUTRON RESOURCES, REST API & ROUTING

Neutron network 1 Neutron network 2

External network

Neutron network 3

Tenant A

Tenant B

Subnet 1 Subnet 2

Subnet 3 Subnet 4

FloatingIP 1

SNAT/DNAT association

Router 3

Router 1 Router 2

VM1 VM2 VM3 VM4

VM1 VM2


routers_updated() notify via AMQP

User request using Neutron’s routing REST API

NEUTRON’S ROUTING REFERENCE IMPLEMENTATION

•  Only for namespaces

•  Scheduler: Router " L3 agent

•  L3 agent only configures ... … host it runs on … Linux network namespaces

•  Assumption is that … hosting device == configuring device

•  No service VM support They also take time to boot …

Neutron plugin L3_NAT_db_mixin

Neutron DBs

Neutron API server

agent scheduler

L3 agent

Name-space Name-

space Name-space

Network node Network node

L3 agent

Name-space Name-

space Name-space

sync_routers() RPC via AMQP

Logical Neutron Router Logical router is

instantiated here

Typical plugin workflow for Router/Floatingip operations: DB operations " schedule " send notification Plugin handling of sync_routers() call: auto_schedule " fetch router configs " return router configs

But …


ADDED PIECES HIGHLIGHT

Router VM

Logical Neutron Router

Scheduler router " hosting device

Logical router is instantiated here

L3CfgAgent

Configures hosting devices of this type

Configures hosting devices of this type

Service VM Manager

Life cycle management of service VMs via Nova


ATTACHING/DETACHING ROUTER FROM SUBNETS

•  VIF hot-plugging one possibility Requires OS support # PCI devices limit attachable subnets (~8-24)

•  N1kv plugin supports VLAN trunking! ~4k attachable subnets Most OS:es support logical VLAN sub-interfaces Fast operation

•  Attach: trunk VLAN used for Neutron network •  Detach: un-trunk VLAN used for Neutron network •  VXLANs mapped to link local VLANs

Neutron Network 1

Attach

Neutron Network 2

Router 1

X Detach

Router service VM

V

IF

Trunk port VLAN = [x, y]


Scheduler Service VM Manager

DB processing Other

Python RPC using AMQP

Pyt

hon

Alc

hem

y A

PI

All Python

Hypervisor (KVM)

Libvirt

Neutron REST API Glance REST API User request using

Neutron’s routing REST API (1)

(5)

(6)

(7) (4) (8)

WORKFLOW BEHIND THE SCENES

N1kv (core) plugin

(L2 +IPAM+Routing)

Neutron DBs

Neutron API server

(3) (2)

L3CfgAgent

Router service VM

VRF VRF

Nova Glance


DEMO

Neutron routing using service VM

Demo tenant

Openstack dashboard 1

vm1

vm2

bob_test_net1 (internal)

Router 1

bob_test_net2 (internal)

vm1

vm2

eth0

…

UCS server

L3AdminTenant

Openstack dashboard 2

Single node Openstack setup

RabbitMQ …

VSM VM

MySQL

Hypervisor KVM

Nova

Glance

L3CfgAgent

Keystone

Neutron

Nova agent

N1kv plugin

DHCP agent

VEM

bob_test_extnet1 (external)

10.0.11.0/24 .3

.1

10.0.12.0/24

.3

.1

10.0.21.3

Demo tenant’s virtual topology in the

Openstack cloud

10.0.21.0/24


CISCO – APPLICATION CENTRIC INFRASTRUCTURE


”MAKE EVERYTHING AS SIMPLE AS POSSIBLE, BUT NOT SIMPLER”

- ALBERT EINSTEIN


OPEN RESTFUL APIS CENTRALIZED POLICY MODEL

OPEN SOURCE

CONTROLLER

APIC

ACI BUILDING BLOCKS NEXT GENERATION NEXUS—TRADITIONAL NETWORKS

POLICY MODEL

ACI

BUILT-IN LINE RATE END POINT DIRECTORY

INTEGRATED OVERLAY 40G NON-BLOCKING FABRIC

SIMPLE, SECURE

>_ >_

50% SIMPLER CODE BASE

FUTURE PROOF UPGRADABLE

TO ACI

PROGRAMMABILITY AND AUTOMATION

NETWORK VIRTUALIZATION

SUPPORT

RESILIENCY: IN SERVICE PATCHING,

UPGRADE, FAST RESTART

ACI BUILDING BLOCKS FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI

NEXUS 9500 and 9300 INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN

PRICE POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE

OPTIMIZED NX-OS SCALE OUT WITHOUT COMPROMISE COMMON BUILDING BLOCKS - ACCESS AND CORE

APIC



ACI FABRIC IP NETWORK WITH AN INTEGRATED OVERLAY

•  ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing

‒  All end-host (tenant) traffic within the fabric is carried through the overlay

•  Why choose an integrated overlay?

‒  Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs

IP fabric with integrated

overlay IP un-numbered 40 Gb links

APIC

IP Fabric with integrated overlay


WHY OVERLAYS?

Flexible Overlay Virtual Network •  Mobility – Track end-point attach at

edges •  Scale – Reduce core state

–  Distribute and partition state to network edge

•  Flexibility/Programmability –  Reduced number of touch points

Robust Underlay/Fabric •  High Capacity Resilient Fabric •  Intelligent Packet Handling •  Programmable & Manageable


APPLICATION VIRTUAL SWITCH (AVS)

Consistent Policy enforcement for Virtual and Physical workloads

•  Purpose-Built Virtual member of ACI

•  Full Fabric Integration (VSM not required)

•  Single point of management for virtual and physical (APIC)

•  Optimal traffic steering

•  Integrated visibility (physical, virtual)

•  Seamless workload mobility

•  Consistent operational model across hypervisors

AVS Highlights

Web VM

App VM

Application Virtual Switch

DB Tier

APIC


APPLICATION CENTRIC INFRASTRUCTURE CONTROLLER

APIC

•  Unified point of fabric automation and management including application policies

•  Distributed clustered software running on x86 appliance

•  GUI, CLI and RESTful APIs

!  Central management of Fabric: !  End point policies !  Firmware Spine / Leaf Imaging !  Inventory !  Topology !  Monitoring / Troubleshooting !  Compute Integration !  3rd party integration



ACI DEVICE PACKAGE

•  Defines services appliances

•  Lists service functions offered by the services appliance

•  Provides scripts for driving service configuration

•  Plan is to open the API so that anyone can create a device package and have a community similar to Puppet manifests or Chef recipes

ACI SERVICE AUTOMATION ARCHITECTURE

Configuration Model

Device Interface: REST/CLI

APIC Script Interface

Device Specific Python Scripts

Script Engine

APIC – Policy Element

APIC Appliance


“SIMPLICITY IS ABOUT SUBTRACTING THE OBVIOUS AND ADDING THE MEANINGFUL”

- JOHN MAEDA

ACI POLICY MODEL


AGILITY: ANY APPLICATION, ANYWHERE—PHYSICAL AND VIRTUAL COMMON APPLICATION NETWORK PROFILE

ADC APP DB F/W ADC

WEB

APIC

CONNECTIVITY POLICY

SECURITY POLICIES

QOS BANDWIDTH

RESERVATION AVAILABILITY

STORAGE AND

COMPUTE

APPLICATION L4-L7

SERVICES

SLA QoS Security Load Balancing

APPLICATION NETWORK PROFILE

Extensible Scripting Model

HYPERVISOR HYPERVISOR HYPERVISOR


ACI POLICY MODEL FORMALIZED DESCRIPTION OF CONNECTIVITY

HTTPS Service

HTTPS Service

HTTPS Service

HTTPS Service

HTTP Service

HTTP Service

HTTP Service

HTTP Service

EPG - Web

EPGs are a grouping of end-points representing application or application components independent of other network constructs.

POLICY MODEL


END-POINTS

# Device connected to network directly or indirectly # Has address (identity), location, attributes (version,

patch level) # Can be physical or virtual •  Examples:

Server Virtual Machine Storage Client on Internet NIC, vNIC DNS

Server

VM#

Virtual Machine

Storage

Client


END-POINT GROUPS EPGS

EP

.

.

.

EP EP … end-point group [ EPG ]

All EPs share common properties $  Connectivity $  Security/Access control $  QoS $  Services $  …

Can flexibly map into $  application tier of multi-tier app $  segmentation construct (ala VLAN) $  a security construct $  Neutron port groups $ …

Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location.

EPG WEB

EPG APP SERVER

policies


MULTIPLE CONTRACTS

EP

.

.

.

EP EP

EPG WEB

EPG APP SERVER

web contract

provider

consumer

ssh contract mgmt contract

EPs in EPG WEB can access EPs in EPG APP SERVER on subjects (L4 ports) specified in this contract, subjected to actions in this contract

EPs in EPG WEB can NOT access EPs in EPG APP SERVER on subjects (L4 ports) specified in these contracts

$ Explicit white-list like model for specifying rules between groups


BUNDLES

EPG APP SERVER

http contract

provides

ssh contract mgmt contract TABOO

TABOO

TABOO

… … contract bundle contract bundle

… contract bundle

DNS contract … contract bundle

https contract

SQL contract … contract bundle

consumes

protected by

Contracts can be combined in bundles

Bundles of contracts can be provided by EPGs

Bundles of contracts can be consumed by EPGs

Taboos can be bundled as well


EXAMPLE: THREE TIER APPLICATION

EPG WEB EPG APP EPG DB

NW Public

NW Private

subnet

subnet

provide

provide

provide

provide provide provide

infra shared services

consume consume consume

L3 context bd bd bd

web bundle

java bundle

sql bundle

mgmt bundle

Outside consume consume

consume






POLICY OPTIONS: ACTIONS Permit#

Deny#

Redirect#

Log# …"…"

Copy# Packet#

Mark# Packet# DSCP#

There"are"six"policy"op0ons"supported:"!  Permit"the"traffic"!  Block"the"traffic"!  Redirect"the"traffic"!  Log"the"traffic"!  Copy"the"traffic"!  Mark"the"traffic"(DSCP/QoS)"

Policy"encompasses"traffic"handling,"quality"of"service,"security"monitoring"and"logging."


APIC – SERVICE CHAIN


OPENSTACK NEUTRON NETWORK MODEL

Tenant

Network Security Group

Security Group Rule

Network: external Router

Port Subnet

Core API L3 + External Net Extension

Sec Grp Extension


ACI MODEL

Tenant

Bridge Domain Context (VRF)

Subject

App Profile Outside Network

Subnet

Endpoint Group

Contract


ACI NEUTRON PLUGIN

APIC REST API

•  APIC Plugin for Fabric using ML2 framework

•  Translates Neutron primitives to Insieme policy model

•  ML2 allows plugin to select network technology

•  Existing Neutron functions only

Neutron API

ML2 Plugin

OVS driver

APIC driver

KVM

OVS

KVM

OVS

KVM

OVS

KVM

OVS

KVM

OVS

KVM

OVS

KVM

OVS

APIC


EXTENDING ACI DATA MODEL INTO OPENSTACK

•  Goal : Introduce ACI model into OpenStack

•  Starting with Groups and Group based Policies


KEY TAKEAWAYS


CISCO + OPENSTACK SOLUTION

APIC

OpenStack

VM VM VM VM

Common pool of Cisco infrastructure where OpenStack binds everything together.

BM BM


QA •  Questions? %


Thank you. Thank you. Thank you.

Documents

CISCO – OPENSTACK - Meetupfiles.meetup.com/...OpenStack_Cisco_presentation.pdf · Cisco Confidential 5 CISCO OPENSTACK INSTALLER – OPENING THE CLOUD Simplified installer for the