Modern Datacenter Switching Cisco’s Application … Centric Infrastructure Policy based network configuration and network management Applications Network APPLICATION CENTRIC POLICY

Vernetzen. Gestalten. Werte schaffen. Mit Sicherheit!

Erwin Breneis DC Specialist Application Centric Infrastructure

Modern Datacenter Switching Cisco’s Application Centric Infrastructure Best Network Infrastructure for each Datacenter Workload

2 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

•  Whats New? •  Why your Datacenter should be „Policy Driven“

•  Application Centric Infrastructure Overview

•  Use case examples

•  Summary

Agenda


DevOps/ Orchestration Platforms

Areas of Investment: Best of Breed Architectures

SDN Solutions

Tetration Analytics


Driving Innovation to Deliver Choice Next-Gen Nexus 9K Portfolio With Cloud Scale Technology

25G at Price of 10G; 100G at Price of 40G

2.5x Bandwidth at

Same Price

Cloud Scale Technology

Up to 12x Scale of Competition

Embedded Security,

Analytics, and Telemetry

at 100G Wire Rate

Open Choices

for SDN

and Network Automation


Tetration: Real-Time Analytics

Long-term Forensics and Auditing Application

Dependency Mapping

Automated Whitelist Policy Generation

Policy Compliance and Auditability

Policy Simulation and Impact Assessment

Forensics (example: flow search and flow anomaly)

Real-time analytics: <= 10 Minute Actionable Insight

Pervasive Sensors: Network and Host

NX-OS

Why your DC should be Policy Defined


Complexity controllable

Speed Capacity Security

Fly-by-wire Auto-Pilot Automation Solution

Network today at the

Datacenter

As Network should look like


Application provisioning – it depends on the Perspective on …

IT customer (App, ..)

Network admin


Network Language

Compute/Storage Language

Security Language

Application Language •  Application tier policy and

dependencies •  Security requirements •  Service level agreement •  Application performance •  Compliance •  Geo dependencies

Decouple Application and policy from Underlying

infrastructure Infrastructure

Common Policy

App Network Profile

UCS Service Profile

Policy: Links Application Language to Infrastructure

Decouple Application and policy from Underlying

infrastructure Infrastructure

Common Policy

App Network Profile

UCS Service Profile Policy-Driven

Infrastructure


DC Automation by Abstraction

High-Level IT Prozess- Automation

Standard Infrastructure-Service-Catalogue

Infrastructure- Automation

Need Infrastructure Need Infrastructure

End-User Service Catalogue

API

API API API API

Physical and Virtual Resource Pools


Working Together: End-to-End Orchestration Business (ITSM)

Prime Service Catalog, ServiceNow, Custom Development (DevOps)

CliQr, Jenkins

Application-Centric Lifecycle Management

Model Benchmark Deploy Manage

Application Profiles

UCS Director ACI

Nexus Switching Storage UCS

Datacenter Private Cloud Public Cloud Profile Profile

Hyper-V

Cisco Cloud Center

Application Centric Infrastructure


ACI of Industry Adoption

6,000+ 50+ 1400+ Nexus 9K and ACI Customers Globally

Ecosystem Partners

ACI Customers

New ACI Ecosystem Partners


* Cisco Global IT Impact Survey

Applications Are Changing

Type Consumption Delivery

78% The network is even more critical to delivering applications than a year ago*

Big Data, Distributed

Apps, Mobile

Cloud–public, Private, Hybrid

Anywhere, Anytime, Any

Device


ACI is a “better” Network

Easier to operate More secure Easier to automate

Distributed L4 firewall Microsegmentation

Integration with L4-L7 security

RESTAPI, API tools Github repository with many

examples SDKs (Python, Ruby,

Powershell)

Single point of management Zero-Touch Deployment

Embedded network management

Troubleshooting wizard NXOS-like CLI


Open restful APIs Centralized policy model

Open source

Application Centric Infrastructure SDN in a System, Complete Automation & Application Focused, Physical & Virtual, Open APIs

Applications Centric Infrastructure

Controller Policy Model Nexus 9000

APIC


Next Gen Foundation with 2 Year Advantage Fabric Wide Cloud Scale and Services

P O W E R E D B Y C I S C O ASIC innovation using 16nm technology

Cost Advantage 25G/100G at price of 10/40G

Investment Protection for the next decade

Non-blocking Performance

Pervasive Visibility at Line Rate

Embedded Security at cloud scale

Enhanced Fabric Performance

50% Lower system cost, better reliability, lower power

Multi-speed ports 100M -100G IP storage, FCOE/FC ready

36p 100G line rate w/ single chip—25% more

Wire rate NetFlow

50% faster application completion time

8x more network segmentation vs competition Cloud scale endpoint density 6-7x 12x IPv6 routes Nexus 9200

Nexus 9300EX Nexus 9500

Cloud Scale Technology


ACI is a DC network

APIC

Spines

Leafs

Controller


Application Centric Infrastructure Policy based network configuration and network management

Applications

Network

APPLICATION CENTRIC POLICY

Latency

Health Score

82%

Isolation

Systems Telemetry

25 Packets dropped

Dev


An Innovative New Approach to Policy

Connectivity Security QoS L4-7 Services

APPLICATION NETWORK PROFILE

Contract Contract Contract

OUTSIDE DB APP WEB

ADC F/W ADC

What is an application policy?

End Point Group: A set of VMs / servers with the same policy 1. Contracts: A set of rules governing communication between groups 2. Service Chains: A set of network services between groups 3.

Application


One Application Centric Infrastructure for Both Modes of IT Rapid Provisioning and Agility

- Programmatic Network consumption

-  Infrastructure as code

- Traditional concepts - Rapid provisioning API

Security as Policy


It’s all about Policies – Everywhere Identity independend from location

SIM Card Identity for a Phone

Service Profile Identity for a Server

UCS Service Profile Unified Device Management

Network Policy

Storage Policy

Server Policy

Application Profile Identity for the Network

Security Integration into ACI


Group Network Objects Based on Business Requirements

Development Lifecycle

Security Zone

Application Tier


ACI Security Automated Security With Built-In Multi-Tenancy

Distributed Stateless Firewall

Line Rate Security Enforcement

Open: Integrate Any Security Device

PCI, FIPS (New)

ACI Services Graph

Embedded Security

•  White-list Firewall Policy Model •  Authenticated Northbound API (X.

509) •  Encrypted Management Plane

(TLS 1.2)

Micro-Segmentation

•  VMware vDS, Microsoft Hyper-V, and Bare-metal workloads (New)

•  Intra End Point Group Isolation (New)

•  Attribute Based Isolation and Quarantine

Security Automation

•  Dynamic Service Insertion and Chaining

•  Security Policy Follows Workloads •  Centralized Security Provisioning and

Visibility

* Note: Available: 1H CY 2016


Security Policy – Dynamic network access lists when an Application is Created/Deleted

Denial log will help us identify what type of traffic is hitting the policy

Dynamic Endpoint Attachment helps identify new host detection and assignment to right policy group

L4-L7 Services Automation Example: Enterprise Software Company

Many Data Center customers use multiple firewalls and its hard for them to keep up with security changes

16X Reduction in Access Lists

Compliance


•  ACI is PCI certified •  Common Criteria and FIPS certification in H2CY16

•  Auto-Documentation •  Prove compliance at any point in time •  Policy = Configuration – guaranteed •  Full audit: who did what and when •  Backup and Restore full DC configuration

•  End-Point-Tracking •  Determine what was on network at any time

Enhanced Compliance and Full Day-0 Auditability

Visibility


ACI Visibility Health Scores, Centralized Management, Virtual and Physical

1

•  Full visibility into underlay and overlay

•  Dramatically simplifies troubleshooting and monitoring

2

•  Single point of debugging and troubleshooting

•  Troubleshooting Wizard •  Remediation policies •  Broad monitoring

ecosystem support with open APIs

3

•  Correlate application and tenant view with undelaying infrastructure

•  Tenant •  Application

Health Scores

TENNANT APPLICATION

Centralized Management and Open APIs

Integrated Overlay/Underlay

Workload Independent, Integration and Openness


VM1 VM2 VM1 VM1 VM2

KVM OpFlex Agent

V(X)LAN

Open vSwitch

ESXi Cisco AVS

V(X)LAN

VMware DVS

Hyper-V MSFT vSwitch

V(X)LAN

Docker OpFlex Agent

V(X)LAN

Open vSwitch

VM1 VM1 VM2 VM1 Docker1 Docker2

Docker1 Docker1

ACI - Consistent Policy Model Data Center: Physical, Virtual, Container, L4-L7, & Cloud

OpFlex OpFlex OpFlex OpFlex


ACI: Open and Programmable

Programmable Open APIs

3rd Party Ecosystem Standards-Based Open Source

RESTful APIs

ACI Toolkit

Built by Third Party OpFlex

Group-Based Policy

VXLAN

1/10G, 40G, 100G

ACI Toolkit

Operations


•  Availability Management •  Design Service, Testing, Monitoring

•  Service Transition •  Change Management, Evaluation, Service Asset

•  Capacity Management •  Management, Reporting

•  Incident Management •  Root Cause Analysis, Graphical Troubleshooting

Operational Benefits with ACI


Incident Management #1 Healthscores, tenant/application impact

Service Operation

Act first on the faults with

customer impact!


Incident Management: L4-L7 services are included in the analysis

Service Operation

Use Cases


Bare Metal, Virtualized and Containers

VM Density and Converged/Hyperconverged Storage 10/25/40/50/100G Ethernet Transition

Hybrid-Cloud Over 54% Enterprises Moving to Hybrid Cloud

Big Data and Analytics: Foundational for Next Gen DC 25% CAGR IP Traffic Growth1

1.  Cisco Global Cloud Index Forecast (2013-2017)


Innovation Driving Application Performance Impact of ACI Fabric Innovations on Big Data Apps

100 150 200 250 300

ACI

Traditional Network

Time (s)

Case Study – Big Data Analytics

Based on common network load and link failure scenarios

Network Innovations Dynamic Load Balancing

Dynamic Packet Prioritization

Faster Completion Times

Congestion Management

60% 60% 90%

Network Utilization


Delivering on Its Strategic Vision: 441% ROI With Next-Generation, Secure Data Center Powered by Cisco ACI

41

5-Year Cumulative Benefits

IN BUSINESS BENEFITS

$145M PAYBACK

11MTH FASTER

APPLICATION DEV. CYCLE

87% MORE EFFICIENT NETWORK OPS

83% IMPROVEMENT IN

BANDWIDTH

40X

“We did the planning, design and execution for this whole software-defined, ACI approach in four and a half months. That kind of speed is unheard of when implementing a leapfrogging technology.” Sheila Jordan, CIO, Symantec

Summary


Policy Driven Automation for “Cloud Operational Model”

IT as a Service IaaS | PaaS | SaaS | XaaS

Flexible Consumption Models

Foundational Challenges §  Agility/Automation

§  Open/Programmability

§  Multi-tenancy/Segmentation

§  Scalability/Elasticity

§  Security/Compliance

§  Operations/TCO FOUNDATION

ORCHESTRATION

SELF SERVICE

ACI Solves

Storage Compute PaaS

Self Service Catalog

Cisco CloudCenter


Cisco ACI

Application Centric Infrastructure

The Most Complete Solution for Our Customers

Automation through Common Policy

Physical, Virtual and Containers

Open, Standards-Based and Embedded Security

Q&A Erwin Breneis

Documents

Modern Datacenter Switching Cisco’s Application … Centric Infrastructure Policy based network configuration and network management Applications Network APPLICATION CENTRIC POLICY