Upload
ngothuy
View
238
Download
8
Embed Size (px)
Citation preview
Cisco Confidential 1
CISCO – OPENSTACK
Cisco Confidential 2
ROUTE FOR THIS SESSION • RTT about 80 minutes
• Chance to flush cache after 40 minutes (= leg stretch and toilet visit)
• Path may change due unpredictable events
• Cisco & Openstack
• Introduction to Openstack Neutron and Nexus 1000v
• “Advanced services”, routing and service VMs in Neutron
• DEMO: Neutron routing using service VM
• Cisco Application Centric Infrastructure (ACI)
Cisco Confidential 3
WHAT OUR CUSTOMERS ARE ASKING FOR
Simplicity Agility Flexibility
CUSTOMER ASK: Can’t you just simplify this?
Cisco Confidential 4
OPENSTACK AT CISCO
• Private, Public, Clouds
• Extend cloud model for rapid provisioning of network services
• Drive innovation through real-world use cases
Engineering
Customers
Community • Cisco OpenStack Installer
• Neutron Plug-ins for Cisco networking technology
• Platform for Cisco networking, video, and mobile apps and services
• OpenStack Foundation Board member
• Code Contributions across Core services
• Focus on Network Service, Compute Service and Dashboard
Cisco Confidential 5
CISCO OPENSTACK INSTALLER – OPENING THE CLOUD
Simplified installer for the suite of OpenStack modules Works with UCS and Nexus switches
http://docwiki.cisco.com/wiki/OpenStack#Introduction
Cisco Confidential 6
HOW CISCO USES OPENSTACK
• “As we examined the various initiatives we’d have underway in our cloud, which would include the intermingling of physical and virtual loads as well as complex network configurations, we knew that the flexibility inherent in OpenStack would prove powerful enough to support our objectives. With OpenStack we have the ability to customize the platform and maintain significant control over our destiny.”
REINHARDT QUELLE, OPERATIONS ARCHITECT, CISCO WEBEX
Cisco Confidential 7
NETWORK FUNCTION VIRTUALIZATION WITH OPENSTACK
NfV = Transition of network infrastructure services to run on virtualized compute platforms
DPI Firewall NAT
HTTP Optimization
Video Optimization
Compute Platform Network Appliances
SAE-GW
DPI PCRF
NAT
VM
Firewall
VM
SBC
VM
dDOS
VM
Virus Scan
VM
SAE-GW
VM
DPI
VM
CGN
VM
GGSN
VM
PCRF
VM
DNS
VM
DHCP
VM
SaMOG
VM
Web Proxy
VM
Video Opt
VM
WLC
VM
PCRF
VM
CDN
VM
Caching
VM
NMS
VM
Cisco Confidential 8
OPENSTACK NETWORK SERVICE (NEUTRON)
Cisco Confidential 9
OPENSTACK NETWORK SERVICE (NEUTRON)
• Provides “network connectivity as a service” between devices managed by other OpenStack services
! Provides abstractions and functionality needed for cloud networking
! Provides “advanced” network services like load-balancer, firewalling & VPN
! Why Neutron? – Nova networking limited to certain use cases – Provide tenants an API to build rich networking topologies – Simplify for vendors to integrate their technology – Foster innovation
Cisco Confidential 10
NEUTRON MULTI-TENANT NETWORK TOPOLOGIES
External (Provider) Net 129.1.77.0/25
129.1.77.1
Physical Cisco Router
Neutron Router Tenant: Acme
ACME Private Net 1 10.15.1.0/24
ACME VM1
10.15.1.3
ACME Private Net 2 10.15.2.0/25
ACME VM2
10.15.2.3
Neutron Router Tenant: Wily
WILY Private Net 1
192.168.21.0/24
WILY VM1
192.168.21.3
WILY Private Net 2
192.168.51.0/24
WILY VM2
192.168.51.3
Cisco Confidential 11
TIERD APPLICATION NETWORK WITHIN OPENSTACK
App
OS
VM
Dat
aBas
e
OS
VM
Web Svr
OS
VM
App Svr
OS
VM
DataBase OS
VM
Application “A” Application “B”
DataBase
OS
VM
App
OS
VM
Application “C”
Neutron Router Internet Gateway
VPN Service Service Provider Network
10.99.27.4
10.99.30.3
10.99.29.3
10.99.26.3
10.99.25.3
10.99.27.3
10.99.26.4
129.1.77.25
10.9
9.28
.3
10.99.29.4
10.99.30.4
129.
1.77
.26
129.1.77.27
cs-web-net-a
cs-app-net-a
cs-db-net-a
cs-app-net-b
cs-db-net-b
cs-app-net-c
10.99.31.3 10.99.31.4
OBJECTIVE: CREATE WHAT THE APPLICATION DEVELOPER WANTS
Cisco Confidential 12
Neutron (core) plugin
(L2 + IPAM + …)
Software e.g., controllers
Neutron DBs
Neutron’s REST API
Neutron’s internal API (Python)
Users of Neutron
“Arbitrary” APIs (proprietary or open). Plugin dependent.
Physical devices Virtual machines Virtual devices
Routing-aaS service plugin
VPN-aaS service plugin
…
LB-aaS service plugin
…
FW-aaS service plugin
…
Neutron API server (includes plugin and extension managers)
NEUTRON RESOURCES, REST API & ROUTING
Extensions
Adds REST API & functionality
Extensions
Adds REST API & functionality
Extensions
Adds REST API & functionality
Plugin developers decide which
extensions a plugin should support
Cisco Confidential 13
ANATOMY OF FREE NEUTRON PLUGINS • There should be free plugins
Reference implementations
• Openvswitch, Linuxbridge, and ML2 plugins
• Plugin agent Runs on each compute node Connect instances to network port
• DHCP agent Creates and configures DHCP servers
• L3 agent Creates and configures routers (more later…)
• Message Queue communication between each component of neutron
• Database (DB) Persistent state
Neutron shares DB service and Queue with other OpenStack services
Neutron API server
Neutron (core) plugin
(L2 + IPAM + …)
Neutron DBs
DHCP agent
Plugin agent
L3 agent
Message Queue
…
Cisco Confidential 14
NEXUS 1000V IN OPENSTACK
Cisco Confidential 15
Nexus 1000v = A Virtual Switch
“A software based switch that runs on the hypervisor and lives in the server…”
Nex
us 1
000v
Cisco Confidential 16
Spine Switch
Spine Switch
Leaf Switch Leaf Switch
VM VM
Hypervisor
VM VM
Hypervisor
Spine Switch
Spine Switch
Leaf Switch Leaf Switch
VM VM
Hypervisor VEM
VM VM
Hypervisor VEM
BEFORE AFTER
VEM adds another (logical) switch layer into the switch hierarchy
Cisco Confidential 17
Virtual Machine
Server Operating System (OS)
Hypervisor
Virtual Machine
Virtual Machine
Nexus 1000V VEM
Nexus 1000V VSM
Physical (Bare Metal) Server
Physical Switch Top Of Rack Switch
Server
Server
Server
Server
Server
Server
Server
Server
Server
VEM has connection to upstream switch Provides switch ports for local VM’s
Nex
us 1
000v
Cisco Confidential 18
VXLAN
There is another ingredient we need to talk about
(Virtual Extensible LAN)
Cisco Confidential 19
Green servers are now located in dis-contiguous subnets?
Problem – How do you provide Layer 2
adjacency for all Green servers across the Layer 3 network?
Cisco Confidential 20
The answer is VXLAN
It provides connectivity between Layer 2 networks across a Layer 3 network
Cisco Confidential 21
Physical Network
Cisco Confidential 22
Physical Network
Cisco Confidential 23
We then setup “connections” between virtual switches
Creating our “logical” virtual network
Cisco Confidential 24
Physical Network
Cisco Confidential 25
NEUTRON N1KV PLUGIN
• KVM hypervisor environment
• VLAN and VXLAN support Can bridge between segments using VXLAN/VLAN-Gateway VM
• Can be used with original Cisco plugin Supports auto-configuration of VLANs in Nexus ToR
• Support VLAN trunks to VMs
• Openstack Dashboard support
VSM VM
Cisco N1kv (core) plugin
(L2 + IPAM + …)
N1kv REST API
VEM VEM
VEM
Cisco Confidential 26
ADVANCED SERVICES, ROUTING, & VIRTUAL MACHINES
Cisco Confidential 27
NEUTRON ADVANCED SERVICES AND ROUTING • Anything beyond basic L2, and IPAM
• So far LB-aaS, Firewall-aaS, VPN-aaS
• VPN-aaS and FW-aaS rely on “routed/embedded” insertion
• Means service resources are associated to a Neutron router
Cisco Confidential 28
NEUTRON ADVANCED SERVICES AND VIRTUAL MACHINES • Virtual appliance = appliances in virtual machines
• Lots of them nowadays
• Virtual routers, virtual firewalls, virtual gateways, …
• Often multi-service capable
• Easy to scale, multi-tenancy gateway
• Such VMs are called Service VMs
Attractive to implement advanced services using VMs
Cisco Confidential 29
EXAMPLE: CLOUD SERVICE ROUTER 1000V (CSR1KV) • Cisco IOS Software in Virtual Form-Factor
UCS Server
KVM Hypervisor Virtual Switch
VPC/ vDC
OS
App
OS
App
CSR 1000V
Programmability
• RESTful APIs for Automated Management
Perpetual, Term, Usage-based Licenses
• Elastic Capacity (Throughput)
Single-tenant WAN Gateway
• Small Footprint, Low Performance
IOS XE Cloud Edition
• IOS XE features for Cloud Use Cases
Infrastructure Agnostic
• Server, Switch, Hypervisor
Rich Network Services
• Routing, VPN, DC Interconnect, etc…
Cisco Confidential 30
NEUTRON ROUTING USING SERVICE VM
Cisco Confidential 31
• Resources (abstractions) Network Port Subnet ----------- Router Floatingip
• Operations via REST API Create, Update, Delete Set-/Clear-gateway Add-/Delete-router-interface Update routes
NEUTRON RESOURCES, REST API & ROUTING
Neutron network 1 Neutron network 2
External network
Neutron network 3
Tenant A
Tenant B
Subnet 1 Subnet 2
Subnet 3 Subnet 4
FloatingIP 1
SNAT/DNAT association
Router 3
Router 1 Router 2
VM1 VM2 VM3 VM4
VM1 VM2
Cisco Confidential 32
routers_updated() notify via AMQP
User request using Neutron’s routing REST API
NEUTRON’S ROUTING REFERENCE IMPLEMENTATION
• Only for namespaces
• Scheduler: Router " L3 agent
• L3 agent only configures ... … host it runs on … Linux network namespaces
• Assumption is that … hosting device == configuring device
• No service VM support They also take time to boot …
Neutron plugin L3_NAT_db_mixin
Neutron DBs
Neutron API server
agent scheduler
L3 agent
Name-space Name-
space Name-space
Network node Network node
L3 agent
Name-space Name-
space Name-space
sync_routers() RPC via AMQP
Logical Neutron Router Logical router is
instantiated here
Typical plugin workflow for Router/Floatingip operations: DB operations " schedule " send notification Plugin handling of sync_routers() call: auto_schedule " fetch router configs " return router configs
But …
Cisco Confidential 33
ADDED PIECES HIGHLIGHT
Router VM
Logical Neutron Router
Scheduler router " hosting device
Logical router is instantiated here
L3CfgAgent
Configures hosting devices of this type
Configures hosting devices of this type
Service VM Manager
Life cycle management of service VMs via Nova
Cisco Confidential 34
ATTACHING/DETACHING ROUTER FROM SUBNETS
• VIF hot-plugging one possibility Requires OS support # PCI devices limit attachable subnets (~8-24)
• N1kv plugin supports VLAN trunking! ~4k attachable subnets Most OS:es support logical VLAN sub-interfaces Fast operation
• Attach: trunk VLAN used for Neutron network • Detach: un-trunk VLAN used for Neutron network • VXLANs mapped to link local VLANs
Neutron Network 1
Attach
Neutron Network 2
Router 1
X Detach
Router service VM
V
IF
Trunk port VLAN = [x, y]
Cisco Confidential 35
Scheduler Service VM Manager
DB processing Other
Python RPC using AMQP
Pyt
hon
Alc
hem
y A
PI
All Python
Hypervisor (KVM)
Libvirt
Neutron REST API Glance REST API User request using
Neutron’s routing REST API (1)
(5)
(6)
(7) (4) (8)
WORKFLOW BEHIND THE SCENES
N1kv (core) plugin
(L2 +IPAM+Routing)
Neutron DBs
Neutron API server
(3) (2)
L3CfgAgent
Router service VM
VRF VRF
Nova Glance
Cisco Confidential 36
DEMO
Neutron routing using service VM
Demo tenant
Openstack dashboard 1
vm1
vm2
bob_test_net1 (internal)
Router 1
bob_test_net2 (internal)
vm1
vm2
eth0
…
UCS server
L3AdminTenant
Openstack dashboard 2
Single node Openstack setup
RabbitMQ …
VSM VM
MySQL
Hypervisor KVM
Nova
Glance
L3CfgAgent
Keystone
Neutron
Nova agent
N1kv plugin
DHCP agent
VEM
bob_test_extnet1 (external)
10.0.11.0/24 .3
.1
10.0.12.0/24
.3
.1
10.0.21.3
Demo tenant’s virtual topology in the
Openstack cloud
10.0.21.0/24
Cisco Confidential 38
CISCO – APPLICATION CENTRIC INFRASTRUCTURE
Cisco Confidential 39
”MAKE EVERYTHING AS SIMPLE AS POSSIBLE, BUT NOT SIMPLER”
- ALBERT EINSTEIN
Cisco Confidential 40
OPEN RESTFUL APIS CENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER
APIC
ACI BUILDING BLOCKS NEXT GENERATION NEXUS—TRADITIONAL NETWORKS
POLICY MODEL
ACI
BUILT-IN LINE RATE END POINT DIRECTORY
INTEGRATED OVERLAY 40G NON-BLOCKING FABRIC
SIMPLE, SECURE
>_ >_
50% SIMPLER CODE BASE
FUTURE PROOF UPGRADABLE
TO ACI
PROGRAMMABILITY AND AUTOMATION
NETWORK VIRTUALIZATION
SUPPORT
RESILIENCY: IN SERVICE PATCHING,
UPGRADE, FAST RESTART
ACI BUILDING BLOCKS FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI
NEXUS 9500 and 9300 INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PRICE POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE
OPTIMIZED NX-OS SCALE OUT WITHOUT COMPROMISE COMMON BUILDING BLOCKS - ACCESS AND CORE
APIC
Cisco Confidential 41
Cisco Confidential 42
ACI FABRIC IP NETWORK WITH AN INTEGRATED OVERLAY
• ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing
‒ All end-host (tenant) traffic within the fabric is carried through the overlay
• Why choose an integrated overlay?
‒ Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs
IP fabric with integrated
overlay IP un-numbered 40 Gb links
APIC
IP Fabric with integrated overlay
Cisco Confidential 43
WHY OVERLAYS?
Flexible Overlay Virtual Network • Mobility – Track end-point attach at
edges • Scale – Reduce core state
– Distribute and partition state to network edge
• Flexibility/Programmability – Reduced number of touch points
Robust Underlay/Fabric • High Capacity Resilient Fabric • Intelligent Packet Handling • Programmable & Manageable
Cisco Confidential 44
APPLICATION VIRTUAL SWITCH (AVS)
Consistent Policy enforcement for Virtual and Physical workloads
• Purpose-Built Virtual member of ACI
• Full Fabric Integration (VSM not required)
• Single point of management for virtual and physical (APIC)
• Optimal traffic steering
• Integrated visibility (physical, virtual)
• Seamless workload mobility
• Consistent operational model across hypervisors
AVS Highlights
Web VM
App VM
Application Virtual Switch
DB Tier
APIC
Cisco Confidential 45
APPLICATION CENTRIC INFRASTRUCTURE CONTROLLER
APIC
• Unified point of fabric automation and management including application policies
• Distributed clustered software running on x86 appliance
• GUI, CLI and RESTful APIs
! Central management of Fabric: ! End point policies ! Firmware Spine / Leaf Imaging ! Inventory ! Topology ! Monitoring / Troubleshooting ! Compute Integration ! 3rd party integration
Cisco Confidential 46
Cisco Confidential 47
ACI DEVICE PACKAGE
• Defines services appliances
• Lists service functions offered by the services appliance
• Provides scripts for driving service configuration
• Plan is to open the API so that anyone can create a device package and have a community similar to Puppet manifests or Chef recipes
ACI SERVICE AUTOMATION ARCHITECTURE
Configuration Model
Device Interface: REST/CLI
APIC Script Interface
Device Specific Python Scripts
Script Engine
APIC – Policy Element
APIC Appliance
Cisco Confidential 48
“SIMPLICITY IS ABOUT SUBTRACTING THE OBVIOUS AND ADDING THE MEANINGFUL”
- JOHN MAEDA
ACI POLICY MODEL
Cisco Confidential 49
AGILITY: ANY APPLICATION, ANYWHERE—PHYSICAL AND VIRTUAL COMMON APPLICATION NETWORK PROFILE
ADC APP DB F/W ADC
WEB
APIC
CONNECTIVITY POLICY
SECURITY POLICIES
QOS BANDWIDTH
RESERVATION AVAILABILITY
STORAGE AND
COMPUTE
APPLICATION L4-L7
SERVICES
SLA QoS Security Load Balancing
APPLICATION NETWORK PROFILE
Extensible Scripting Model
HYPERVISOR HYPERVISOR HYPERVISOR
Cisco Confidential 50
ACI POLICY MODEL FORMALIZED DESCRIPTION OF CONNECTIVITY
HTTPS Service
HTTPS Service
HTTPS Service
HTTPS Service
HTTP Service
HTTP Service
HTTP Service
HTTP Service
EPG - Web
EPGs are a grouping of end-points representing application or application components independent of other network constructs.
POLICY MODEL
Cisco Confidential 51
END-POINTS
# Device connected to network directly or indirectly # Has address (identity), location, attributes (version,
patch level) # Can be physical or virtual • Examples:
Server Virtual Machine Storage Client on Internet NIC, vNIC DNS
Server
VM#
Virtual Machine
Storage
Client
Cisco Confidential 52
END-POINT GROUPS EPGS
EP
.
.
.
EP EP … end-point group [ EPG ]
All EPs share common properties $ Connectivity $ Security/Access control $ QoS $ Services $ …
Can flexibly map into $ application tier of multi-tier app $ segmentation construct (ala VLAN) $ a security construct $ Neutron port groups $ …
Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location.
EPG WEB
EPG APP SERVER
policies
Cisco Confidential 53
MULTIPLE CONTRACTS
EP
.
.
.
EP EP
EPG WEB
EPG APP SERVER
web contract
provider
consumer
ssh contract mgmt contract
EPs in EPG WEB can access EPs in EPG APP SERVER on subjects (L4 ports) specified in this contract, subjected to actions in this contract
EPs in EPG WEB can NOT access EPs in EPG APP SERVER on subjects (L4 ports) specified in these contracts
$ Explicit white-list like model for specifying rules between groups
Cisco Confidential 54
BUNDLES
EPG APP SERVER
http contract
provides
ssh contract mgmt contract TABOO
TABOO
TABOO
… … contract bundle contract bundle
… contract bundle
DNS contract … contract bundle
https contract
SQL contract … contract bundle
consumes
protected by
Contracts can be combined in bundles
Bundles of contracts can be provided by EPGs
Bundles of contracts can be consumed by EPGs
Taboos can be bundled as well
Cisco Confidential 55
EXAMPLE: THREE TIER APPLICATION
EPG WEB EPG APP EPG DB
NW Public
NW Private
subnet
subnet
provide
provide
provide
provide provide provide
infra shared services
consume consume consume
L3 context bd bd bd
web bundle
java bundle
sql bundle
mgmt bundle
Outside consume consume
consume
Cisco Confidential 56
APPLICATION NETWORK PROFILE
Cisco Confidential 57
APPLICATION NETWORK PROFILE
Cisco Confidential 58
POLICY OPTIONS: ACTIONS Permit#
Deny#
Redirect#
Log# …"…"
Copy# Packet#
Mark# Packet# DSCP#
There"are"six"policy"op0ons"supported:"! Permit"the"traffic"! Block"the"traffic"! Redirect"the"traffic"! Log"the"traffic"! Copy"the"traffic"! Mark"the"traffic"(DSCP/QoS)"
Policy"encompasses"traffic"handling,"quality"of"service,"security"monitoring"and"logging."
Cisco Confidential 59
APIC – SERVICE CHAIN
Cisco Confidential 60
OPENSTACK NEUTRON NETWORK MODEL
Tenant
Network Security Group
Security Group Rule
Network: external Router
Port Subnet
Core API L3 + External Net Extension
Sec Grp Extension
Cisco Confidential 61
ACI MODEL
Tenant
Bridge Domain Context (VRF)
Subject
App Profile Outside Network
Subnet
Endpoint Group
Contract
Cisco Confidential 62
ACI NEUTRON PLUGIN
APIC REST API
• APIC Plugin for Fabric using ML2 framework
• Translates Neutron primitives to Insieme policy model
• ML2 allows plugin to select network technology
• Existing Neutron functions only
Neutron API
ML2 Plugin
OVS driver
APIC driver
KVM
OVS
KVM
OVS
KVM
OVS
KVM
OVS
KVM
OVS
KVM
OVS
KVM
OVS
APIC
Cisco Confidential 63
EXTENDING ACI DATA MODEL INTO OPENSTACK
• Goal : Introduce ACI model into OpenStack
• Starting with Groups and Group based Policies
Cisco Confidential 64
KEY TAKEAWAYS
Cisco Confidential 65
CISCO + OPENSTACK SOLUTION
APIC
OpenStack
VM VM VM VM
Common pool of Cisco infrastructure where OpenStack binds everything together.
BM BM
Cisco Confidential 66
QA • Questions? %
Cisco Confidential 67
Thank you. Thank you. Thank you.