Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Evolution of Virtual Networking to Applications and Clouds
BRKSPG-2466
Balaji Sivasubramanian, Director, Product Management
[email protected] ; @balajisiva
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Agenda
• Introduction
• Market Trends
• Phase 1: Core Virtual Networking
• Phase 2: Application Virtual Networking
• Phase 3: Cloud Virtual Networking
• Conclusion
3
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Networking 101 – Why Need it ?
2. vMotion moves VMs across physical ports—the network policy must follow vMotion in a timely fashion
3. Must view or apply network/security policy to locally switched traffic
4. May need to maintain segregation of duties while ensuring non-disruptive operations
PortPolicy
Server Admin
Network Admin
Security
Admin
1. 70% of workloads virtualized today
Market Trends
5
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Industry/Market Trends Affecting Virtual Networking
Multi-
Hypervisor,
Container,
Opensource
Increasing
Physical/Virtual
Integration in
Networking
L4-7 Market in
Transition with
Virtual
Services
New Markets
(SP) for Virtual
Networking
Increasing
Adoption of
Public and
Private Clouds
Hybrid Cloud
gaining
Momentum
Virtual Networking is Key Component of Data Center and Cloud
Public
Enterprise
Public
Enterprise
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
80 % of physical servers are still bare-metal
At least 70% of workload virtualized;
Virtualization is Increasing
* Gartner x86 virtualization report 2014
9%14%
22%
33%
42%
51%58%
65% 67% 70%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
% of Virtualized Workload
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Multi-Hypervisor adoption is increasing.
42 % of customers run multiple hypervisors
Increased traction of containers –Dockers, LXC etc
Virtualization is Evolving
vSphere
Hyper-V
KVM/XEN
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Containers (eg.Dockers) is hitting a key pivotal transition point in the virtualization of the workloads with key advantages of containers being
Ability to run applications with much lesser footprint (compared to VM)
Faster creation (< 1sec) and lighter footprint for mobility
Ease of development and test
Lower cost (1 EC2 instance can hold lot of containers)
Growth of containers will result in slower growth of VM based virtualization
Increased density of containers also needs further new products that support container networking and management for private/hybrid/public cloud stack.
Containers Gaining Market Traction Virtual Machine
Docker Container
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
OVS is gaining features and contributions from many vendors
Caching (2.0) to improve performance, SPAN, RSPAN, NetFlow, sFlow, VXLAN, OpFlex, L3, Hyper-V Support etc
Openstack networking continues to evolve with Neutron
Ease of automation, L4-L7 services, VLAN/VXLAN, Security groups etc
Major impact on virtual networking from Open Source Projects
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Box-Box configuration to policy based automated controller based networking
Network Consumption is Evolving
ACI
SW Overlay
with HW
GWMinimal Automation
Managing virtual resources are important element of this transition
Physical + Virtual full integrated solution
Virtual overlay over standalone hardware. Need HW gateways for bare-metal servers
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Network Functions Virtualization in Enterprise/SP
Network Appliance (box) per function
on vendor provided hardware. Slow
innovation and slow to deploy
Virtualized network functions easily
orchestrated on any server. Fast scale
up/scale down and also available in
aaS offering
CP
U, G
B, b
ps
Traditional Data Center/ Managed Service Services with NFV
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Service Provider NFV Use Cases by ETSI
ETSI Formalized NFV Use Cases Potentially Virtualized Functions
Network Functions Virtualization Infrastructure as a Service vNAT, vFW, vLB, vRR, vVPN, vRouter
Virtual Network Function as a Service (VNFaaS) vCPE, vPE
Virtual Network Platform as a Service (VNPaaS) vPrivateCloud
VNF Forwarding Graphs VPE-F,
Virtualization of Mobile Core Networks and IMS vEPC (vS/P-GW, vMME, vPCRF, vSGSN, vGGSN, vGiLan)
vIMS (vP/S/I-CSCF, vMGCF, vAS)
Virtualization of Mobile Base Station vMAC, vRLC, vPDCP, vRRC, vCOMP, vBBU
Virtualization of the Home Environment vBNG, vRGW, vSTB
Virtualization of CDNs vCDN,
Fixed Access Network Functions Virtualization vOLT, vDSLAM, vONU, vONT, vMDU, vDPU
Source: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/001/01.01.01_60/gs_NFV001v010101p.pdf
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Cisco InterCloud
IT Evolving To Support Cloud Centric Models
Hybrid
Vblock FlexPod
DC/Private Cloud
Public Clouds
Cloud Management
XaaS
Increasing XaaS, Private Cloud and Public Cloud Adoption IT enabling self-service, automated infrastructure
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual networking in hypervisors is becoming key component of all Data Center and Cloud Deployments
Open choice in virtual networking in hypervisors is key to have choice in solutions
Requirements on hypervisors
Native vSwitch that supports industry standard protocols like OpenFlow, OpFlex, OMI etcAND OR
Support 3rd party vSwitch to allow for other integrated solutions
Open Choice in Virtual Networking in Hypervisors
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Choice in Virtual Networking - Key for Open Choice in Solutions
Hypervisor Native vSwitches 3rd party
vSphere • Standard vSwitch
• DVS
• Cisco Nexus 1000V and Cisco
Application Virtual Switch
• IBM 5000v
• HP
Hyper-V Native vSwitch • Cisco Nexus 1000V
• NEC
KVM Linux Bridge /OVS • Cisco Nexus 1000V
• OVS
Xen OVS • OVS
Choice in 3rd Party
Switches
• Open source : OVS
project with multiple
contributions from
different vendors
and individuals
• Enterprise Grade
Vendor Switch –
Brings integrated
solutions from other
vendors to provide
choice
Phase 1 – Core Virtual Networking
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
VIRTUAL
PHYSICAL CLOUD
Genesis of Cisco Virtual Switching
Consistent Nexus Experience
Intra-tenant
Security
Inter-tenant
Security
Application
Acceleration
Routing and
Gateways
Web-app
Firewall
Load
Balancer
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Cisco Nexus 1000V – Only Multi-Hypervisor SolutionSeamless Interaction Across Physical and Virtual Workloads & Services
WAN Op
Zone FWFW
Physical WorkloadsASA 55xx
Physical
Fabric
L3
Nexus 1000V
vPath VXLAN
Physical Service Nodes
Nexus 1000V
• Only Multi-Hypervisor solution
• Distributed Zone Firewall
• Enterprise grade networking
features
• Large scale – 250
servers/12000 VMs per
controller
• L4-L7 Services service chaining
• VXLAN based network
virtualizationVXLAN 802.1Q
10000 + Customers
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Nexus 1000V Architecture for Reference
20
Server 1 Server 2 Sever 3
Virtual Supervisor
Module
VEM-NVEM-1 VEM-2
Network
Admin
Cloud/Server
Admin
VEM: Virtual Ethernet
Module
Any Hypervisor (ESX, Hyper-V, KVM
VSM
SCVMM,
Openstack
, VC
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public 21
Features Description
SwitchingIPv4/IPv6, L2 Switching,L3 planned 802.1Q Tagging, VLAN, VXLAN, Rate
Limiting (TX), IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ
SecurityPolicy Mobility, Private VLANs w/ local PVLAN Enforcement, Access Control
Lists, Distributed Port Security, Cisco TrustSec 2.0, Dynamic ARP inspection, IP
Source Guard, DHCP Snooping, BPDU Guard, Strom Control
Network ServicesVirtual Services Datapath (vPath) support for traffic steering & fast-path off-load [leveraged by Virtual Security Gateway (VSG), vWAAS, ASA1000V]
ProvisioningPort Profiles, Integration with virtualization & cloud mgmt. tools, Optimized NIC Teaming with Virtual Port Channel – Host Mode
ManagementIntegrated Provisioning with VM Mgmt station, Cisco LMS, DCNM,Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3),Hitless upgrade, Virtual Switch Update Manager
VisibilityVM Migration Tracking, Distributed NetFlow v.9 w/ NDE, CDP v.2,VM-Level Interface Statistics, SPAN & ERSPAN (policy-based)
Cisco Nexus 1000V Features Consistent NX-OS Features across physical & virtual
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Nexus 1000V Scalable to Support Large Deployments
Feature Details
Number of servers/hosts per switch 250 hosts/servers
Number of ports per switch 10,000 ports per switch
Number of vEth ports per server/hosts 1000 ports per host/server
Active Vlans per switch 4094 VLANS
Active VXLAN per switch 6000 VXLAN
Number of Port Profile per switch 6000 port profiles
Domain Id’s 1 to 1023
VXLAN G/W Pairs 8 pairs per switch
VXLAN G/W Pair per server/host Associated to one G/W pair
Number of VXLAN Mapping per G/W 512 mappings
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
VM
Scaling VXLAN – Extending VXLAN across Nexus 1000V
VMVM
VSM
VEM 1 VEM 2 VEM 3
vt1 vt2 vt3
Membership List
Membership Membership Membership
VSM
VEM 1 VEM 2
vt4 vt5
Segment VTEPs
Green vt4 vt5
Membership List
Membership Membership
VM
Segment VTEPs
Green vt1 vt3
Nexus 1000V Cluster 1 Nexus 1000V Cluster 2
Membership List with BGPSegment VTEPs
Green vt1, vt3, vt4, vt5
• Segments can extend across multiple VSMs
• VSMs distribute the information among them using BGP
• VSM and VEMs will continue to exchange information using AIPC like single VSM mode
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Cisco TrustSec – Simple & Effective SecuritySGT Tagging and Enforcement
VMVM VM VM
Nexus
1000V
VEM
Server
VMVM VM VM
Nexus
1000V
VEM
Server
Hypervisor Hypervisor
Finance Application
TOR filters traffic based
on SG-ACLsNexus 1000V VSM
ISE
PAC
N1KV:
Assigns SGT based on
static Port-profile Assignments
Finance Application
N1KV:
Uses SG ACL to enforce tags set by
N1KV or ToR
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Security GatewayStateful Distributed Virtual Firewall
VM context aware rulesContext aware
Security
Establish zones of trustZone based
Controls
Policies follow vMotionDynamic, Agile
Efficient, Fast, Scale-out SW(with vPath intelligence)
Best-in-class
Architecture
Security team manages securityNon-Disruptive
Operations
Central mgmt, scalable deployment,
multi-tenancy
Policy Based
Administration
Virtual
Security
Gateway
(VSG)
XML API, security profilesDesigned for
Automation
VSG available in the market over 4 years. Not these features are gaining popularity as micro segmentation and distributed firewall
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Security GatewayIntelligent Traffic Steering with vPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
PNSC
Log/Audit
Initial Packet
Flow
VSG
1 Flow Access Control
(policy evaluation)
2
Decision
Caching3
4
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Security GatewayDistributed Firewall - Performance Acceleration
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
Remaining
packets from flow
ACL offloaded to
Nexus 1000V
(policy enforcement)
PNSC
Log/Audit
VSG
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
VSG Policy: Rule Construct
28
Source
Condition
Destination
Condition
Rule
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
Attribute Type
Network
VM
User Defined
vZone
VM Attributes
Instance Name
Guest OS full name
Guest OS Host name
Parent App Name
Cluster Name
Hypervisor Name
Resource-pool
Port Profile Name
Zone Name
Network Attributes
IP Address
Network Port
ACE: Access Control Entry
Action
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Use Cases for Nexus 1000V
Virtual Data CenterManaging Policies for VMs
Secure Container - Cloud Secure Multi-Tenancy
Virtual Services Hosting Easy of Deployment
Multi-DC DC to DC Live Migration
VDISecure VDI
OpenStack Self-Service Cloud
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Easy Life Cycle Management of Nexus 1000V/AVSCisco Virtual Switch Update Manager
Install & Migrate
Upgrade & Monitor
Configure*
• Easily install the Nexus1000V &
Cisco AVS using vCenter
• Smoothly migrate vSwitch/VDS to
N1KV
• Upgrade the Nexus1000V and
AVS(multiple hosts allowed).
• Easily monitor your virtual
network.
Configure and Manage
Nexus1000V features and port-
profiles
* future
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Reduced efficiency due to uncontrolled VM sprawl
Reduced Efficiency in DC
Long delay to onboard a new
developer / customer
Developers leveraging
Public Cloud due to delays
Uncontrolled Virtual Application Sprawl
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
From VM Sprawl to Secured Containers
Uncontrolled Virtual Application Sprawl Enterprise Apps Transactional Apps Collaborative Apps
SME
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Challenge: Weeks to Identify Resources, Configure Network and Security Devices per Container
Complex and Manual
1.Long onboarding time
2.Operational
Challenges across
teams and domains
Ready?
Procure /
License
Install
Provision
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Procure /
License
Install
Provision
Ready?
Enterprise
Apps
Transactional
Apps
Collaborative
Apps
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Evoving Easy of Use -Rapidly Deploy Containers using VACS
Enterprise
Apps
Transactional
Apps
Collaborative
Apps
VACS VACS VACS
Key Values:
1. Simple to design and
deploy containers
2. Consistent Automated
Deployments w/
Operational Simplicity
3. Best in Class
Virtual Services
w/ Unified Licensing
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
VACS Built on Proven Technology
Enterprise Apps
Virtual Fabric – Nexus 1000V
Platform for Distribute FW
Zone Based FW –
Virtual Security Gateway
Edge FW – CSR 1000V
Routing – CSR 1000V
Automated Provisioning and
Orchestration – UCS Director
Enforced by Best in
Class ServicesBuilt on flag ship Cisco NXOS & IOS SW
Unified Licensing Per Server based
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
“Out of the Box” Compliant VACS Containers
“Out of the Box” VACS Containers:
1. 3-Tier App Container
2. 3-Tier App Container w/ Ext Access
3. Custom Container
Note: Customer is not provisioning N1KV, VSG or CSR. VACS backend will take care of the details
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Evolving Cisco Solution for OpenStack
Bare-metal
servers
VXLAN
Gateway
Neutron
Tenant 1 Tenant n
Tenant 2
Physical Networks (VLANs)
Physical
FirewallsKVM
Virtual Networks (VXLANs)
Solution Highlights
• Enterprise Grade Virtual Network virtualization solution (using VxLAN)
• Enhanced security , visibility and troubleshooting for networking
• Consistent networking between physical and virtual workloads
• Integrated in OpenStack Juno release - Ubuntu 14.0.4 and RHEL 7.0/RHOS 6.0
• Automated Installation via Juju/Charm on Canonical and StayPuft on RHAT
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Tight Integration with Horizon - Simplified Operational Model
Nexus
1000V
VEM
Server
Nexus 1000V
VSM
OpenStack Controller
Nova Service
Network
Mgmt
VM VM VM VM
Cloud
MgmtHorizon
Neutron Service
Other Services
Create policy-profiles1
Policy-profiles are synced to Controller. Controller in
turn uses Neutron API to create networks & subnets on
VSM.2
Create tenants,
networks, subnets &
VMs
3
4
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Simple one-click install via Juju/Charm of Nexus 1000V solution
Nexus 1000V Openstack Solution on Ubuntu
Phase 2 : Application Virtual Networking
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
New Application Demands on Infrastructure
Dynamic Instantiation
and Removal
Increasingly
Virtualized/Containarized
Infrastructure Independent
Scale-Out/Multi-Node
Multi-Cloud Models
Application-Awareness for Agile
Deployment and Placement
Physical/Virtual/Cloud
Integration and Visibility
Dynamic Shared
Resource Pool
Increasing Performance 1/10/40/100G
and Scale
Secure and Multi-Tenant Aware
Cloud and Big Data Are Driving a Paradigm Shift
Distributed
Virtualized
Bare-metal
Cloud
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Application Language Barriers
Developers
Application
Tiers
Provider /
Consumer
Relationships
Infrastructure Teams
VLANs
Subnets
Protocols
Ports
Developer and infrastructure teams must translate between disparate languages.
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
It is More than just a VM or Server
It is collection of all the Application’s End Points
‘plus’
The Application’s L2 – L7 Network Policies
‘plus’
The Relationship between these End Points and their Policies
External
Network
App Tier
End Points
DB Tier
End Points
Web Tier
End Points QoS
Service
Filter
QoS
Service
Filter
QoS
Service
Filter
What is an Application to the Network?
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Remember UCS & Stateless Computing?
Service Profile
Network– Uplinks
– LAN settings
• VLAN
• QoS
• etc…
– Firmware
• Revisions
Storage
Optional Disk usage
SAN settings
LUNs
Persistent Binding
SAN settings
vSAN
Firmware
Revisions
Server– Identity (UUID)
– Adapters
• Number
• Type: FC, Ethernet
• Identity
• Characteristics
– Firmware
• Revisions
• Configuration settings
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Stateless Networking
EPG App EPG DBEPG WebC C C
Application
Network Profile Contracts define “what”
an EPG exposes to other
app tiers and “how”
TCP Ports,
Protocols,
Redirects etc
There is a stateless filtering implicitly provided by the ACI fabric between EPGs that
may be able to eliminate the need for some firewalls within the datacenter.
Contracts define what an EPG exposes to other app tiers and how.
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Nexus 1000V
Only virtual networking and services solution across multiple hypervisors
Single point of management for virtual networking via VSM with integration to cloud management platforms (Cisco UCS Director, OpenStack, SCVMM, vCD etc)
L4-L7 integrated via vPath
Firewall, Load Balancer, L3 services, WAN optimization, Network Monitoring
Distributed zone firewall (Virtual Security Gateway)
Licensing : Licensed per CPU socket for advanced edition
Application Virtual Switch
Purpose built ACI virtual leaf with OpFlexintegration
Single point of management with APIC Controller
APIC specifies network policy for virtual and physical networks and does L4-L7 integration
AVS does local switching
Licensed is part of the APIC
Cisco Nexus 1000V and Application Virtual Switch
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
AVS for Application Centric InfrastructureIntelligent Application Policy Enforcement – Consistent Across Physical and Virtual Workloads
Consistent Policy enforcement for Virtual and Physical workloads
DB
Tier
APIC
Web
VM
App
VM
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
AVS Architecture and Components
• AVS has two major components
• AVS-DVS (Distributed Virtual Switch) on vCenter
• AVS .VIB bits on ESXi host
• OpFlex Agent runs on AVS ESXihost
• Increased control plane scale through APIC cluster and Leaf Node
VMware vCenter
Hypervisor Manager
ESXi
VMVM VM VM
OpFlex Agent
AVS DVSSpine Spine
Leaf Leaf Leaf
ESXi
VMVM VM VM
OpFlex Agent
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Application Virtual Switch with OpFlex in ACI Fabric
OpFlex
AVS
vCenter
Hypervisor Manager
• AVS: First Virtual Leaf to implement OpFlex. OVS is next
• Network policy communicated from APIC to AVS through N9kusing OpFlex
• Increased control plane scale through APIC Cluster and Leaf Node
• APIC communicates with vCenterServer for Port Group creation
VMVM VM VMVMVM VM VM
OpFlex OpFlex
OpFlex
AVS
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
ASupports a Full Layer 2 Network (Nexus 7k/6k/5k/3k/2k/FI) between Nexus 9k and AVS: Investment Protection
VDS (VMware Distributed Switch) can only support a single L2 switch between N9k and VDS
Due to lack of OpFlex support
N2K with N5K/N6K/N7K/N9K considered one L2 switch
Layer 2 network is required to support OpFlex bootstrapping in this phase
AVS Makes Existing Switching Network ACI Enabled
L2 NetworkO
pF
lex
Op
Fle
x
Op
Fle
x
VMVM VM VM
VMVM VM VM
VMVM VM VM
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
APIC Admin
VI/Server Admin Instantiate VMs,
Assign to Port Groups
L/B
EPGAP
PEPG DB
F/W
EPG
WEB
Application Network Profile
Create Application Policy
WebWebWeb App
HYPERVISOR HYPERVISOR
Cisco AVS
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
vCenter
Server
8
5
1
9ACI
Fabric
Automatically Map
EPG To Port Groups
Push Policy
Create AVS-
DVS2
Cisco APIC and
VMware vCenter Initial
Handshake
6
DB DB
7Create Port
Groups
Cisco ACI Hypervisor Integration – Cisco AVS
APIC
3
Attach Hypervisor
to AVS
4Learn location of ESX
Host through OpFlex
OpFlex Agent OpFlex Agent
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Leaf Switching Modes
• No Local Switching (NS) Mode: All traffic sent to physical Leaf for switching
• Local Switching (LS) Mode: Intra-EPGs traffic switched on the same host
• Full Switching (FS) Mode: Inter-EPG traffic locally switched on same server
Hypervisor
VM VM
EPG App
No Local Switching
VM VM
EPG Web
Punt to Leaf for all traffic
Hypervisor
VM VM
EPG App
Local Switching
VM VM
EPG Web
Punt to Leaf for Inter-EPG traffic
Hypervisor
VM VM
EPG App
Full Switching Mode
VM VM
EPG Web
Full Policy Enforcement
Future
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Benefits of Application Virtual Switch – Extending Policy to the Virtual Edge
AVS AVSAVSAVSAVS
APIC Policy
Controller
ACI Leaf
Nexus 9000
Policy Enforcement
and Forwarding for
intra and Inter-
EPG Traffic
APIC
End to End Visibility
and Application
Performance
Management
Phase 3: Cloud Virtual Networking
54
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Expanding Cloud
Provider Ecosystem
…
Cisco
Intercloud Fabric
Cisco’s Hybrid Cloud Approach
Enterprise
Open
No Vendor Lock-In
Any Hypervisor to Any Provider
Heterogeneous Infrastructure
End-to-End Security
Unified Workload Management and Governance
Workload Mobility Across Clouds
Choice
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
DC/Private Cloud
End User and IT Admin Portals
Secure Fabric Extender Network,
Compute, and Storage
vSphere
Hyper-V*
KVM*
Xen*
Intercloud Fabric
for Business
EC2 APIs
Azure APIs
Intercloud
Fabric for
Providers
Provider Clouds
Intercloud Ecosystem
Intercloud
Fabric for
Providers
Cisco Powered Services and Cloud
Providers
Cisco Intercloud Fabric: Solution Overview
* Available in subsequent releases
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric Secure Extender
(Secure Network Extension)
DC/Private Cloud
Provider Cloud
Cisco Intercloud Fabric Solution Details
Intercloud
Switch
VM Manager
Intercloud Fabric
for Providers
Intercloud
Fabric Services
Intercloud
Extender
Intercloud
Fabric Director
End User and IT Admin PortalWorkload and Fabric ManagementIT AdminsEnd Users
VM VM
VM VMIntercloud Fabric
for Business
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric for Business
Intercloud Secure Extender
Provider Cloud
Intercloud
Switch
Intercloud
Extender
Intercloud
Fabric ServicesVM VM
Hybrid Cloud Requirements for Virtual Networking
Extend VLAN/VXLAN with TLS Tunnel
Inter-VM firewalling and routingEnterprise IP Address or Provider IP
Address
Intercloud
Fabric Director
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric Architecture Vision
Cisco Intercloud Fabric Architecture is Modularized to Achieve the
Elasticity Needed to Support Evolving Cloud Environments
ICF Extended Services + External Partners (storage, load balancing, etc.)
ICF Core Services
Security Management and Visibility
AutomationNetworking VM Portability
ICF Core Infrastructure ICFD PNSC ICFPPSecure
Communications
Private Cloud: Enterprise Public Cloud: Provider
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Virtual Networking part of ICF Core Services
ICF Core ServicesFundamental Service Functions and Capabilities
Integrated Natively to ICF and its Operation
Security
Management
and Visibility
Automation
and APIs
Networking
VM
Portability
Switching, routing and other advanced network-based capabilities
VM to VM and App-to-App security controls
VM format conversion and mobility
Private and hybrid cloud monitoring capabilities
VM lifecycle capabilities, automated operations and Programmatic APIs
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric for Business
Intercloud Secure Extender
Intercloud
Fabric Director
DC/Private Cloud
Provider Cloud
Core Services: Network Extension
Enterprise Virtual Switch
Application
VM
Provider Network Switch
Enterprise VM
access port
Tunnel Port
Trunk Port
Enterprise Ports
Outer MAC/
IP/UDP Tunnel L2X
Application
VM
IC Driver
Data
Data
Data
1
2 3
Intercloud
Switch
Intercloud
Extender
Outer MAC/
IP/UDP Tunnel L2X Data
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric Secure Extender
(Secure Network Extension)
DC/Private Cloud
Provider Cloud
Intercloud
Switch
Intercloud
Extender
Intercloud
Fabric Director
Intercloud Fabric for Business
Core Services: Firewalling/Zoning
IT Admins Intercloud Fabric
Intercloud Fabric VSG: Protects VMs in Provider Cloud
Test
VM
Test
VM
Enterprise VSG: Protects VMs in Private Cloud
Single Security Policy for Private
and Provider Clouds
Web
VM
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric for Business
Intercloud
Fabric Director
Enterprise VPN Access to Public cloud VMs
Core Services: Routing Across Hybrid Cloud
Direct access to public cloud VMs through NAT
Intercloud Fabric Secure Extender
DC/Private Cloud
Provider Cloud
Intercloud
Extender
VM VM
VM VM
VLAN App
19.2.168.x.x
Default Gateway
for VLAN A &B
VLAN Web
VMVM
VMVM
Provider
Gateway
10.x..x.x
54.x..x.x
VLAN AIntercloud
Fabric CSR
Inter-VLAN communication through ICF Routing
VLAN B
192.168.x.x
Remote/ Branch Office
ISR
VPNVPN
Mobile
Worker
Mobile
Worker
Intercloud
Switch
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric Secure Extender
(Secure Network Extension)
DC/Private Cloud
Provider Cloud
Intercloud
Switch
Intercloud
Extender
Intercloud
Fabric Director
Intercloud Fabric for Business
Core Services: Establishing Trust
Web
VM
IT Admins
IT Admin configures an icfCloud1
Generate SSH key pair2
SSH public key passed as part of creating VM along with SSH username
3
SSH public key downloaded as part of VM startup and made as authorized key for SSH user
4
HTTP/HTTPS
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Intercloud Fabric Secure Extender
(Secure Network Extension)
DC/Private Cloud
Provider Cloud
Intercloud
Switch
Intercloud
Extender
Intercloud
Fabric Director
Intercloud Fabric for Business
Core Services: Establishing Secure Communications
Web
VM
IT Admins
Select encryption algorithm and hash for an icfCloud
1
S2S Tunnel Profile:Control Channel PSK
2
S2S and Access Tunnel Profile: Control Channel PSKData Tunnel Encryption KeyData Tunnel Hash Key
3 Control Channel PSK4
Encryption algorithm – AES-128-GCM, AES-128-CBC,
AES-256-GCM (Suite B), AES-256-CBC
Hashing algorithm – SHA-1, SHA-256, SHA-384
HTTPS/XML API
SCP
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Consistency
Security/Networking as an extension of
Private Cloud
Control
Unified workload management across clouds
Choice
Freedom to place workloads across
heterogeneous Clouds
Compliance
Policy-based deployment/governance
in cloud
Cisco Intercloud Fabric Value Proposition: Secure Workload Mobility via Cisco Virtual Networking
DC/Private CloudCisco Intercloud Fabric
Fixed Workloads Variable Workloads
Provider Cloud
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Summary
• Virtual Networking is becoming critical component of every Enterprise and SP deployments
• Virtual networking has involved from simple networking to application and cloud aware networking.
• Movement of workloads from VM to containers form factor will make the true agility of workloads to cloud easier leading to increased cloud adoption in the market
• Containers will require additional scale and innovation in the virtual networking and will be next phase of our data center and cloud networking
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
68
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public
Call to Action
• Visit the World of Solutions for
– Cisco Campus
– Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015
69