Upload
truongnhi
View
218
Download
3
Embed Size (px)
Citation preview
Vernetzen. Gestalten. Werte schaffen. Mit Sicherheit!
Erwin Breneis DC Specialist Application Centric Infrastructure
Modern Datacenter Switching Cisco’s Application Centric Infrastructure Best Network Infrastructure for each Datacenter Workload
2 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Whats New? • Why your Datacenter should be „Policy Driven“
• Application Centric Infrastructure Overview
• Use case examples
• Summary
Agenda
3 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DevOps/ Orchestration Platforms
Areas of Investment: Best of Breed Architectures
SDN Solutions
Tetration Analytics
4 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Driving Innovation to Deliver Choice Next-Gen Nexus 9K Portfolio With Cloud Scale Technology
25G at Price of 10G; 100G at Price of 40G
2.5x Bandwidth at
Same Price
Cloud Scale Technology
Up to 12x Scale of Competition
Embedded Security,
Analytics, and Telemetry
at 100G Wire Rate
Open Choices
for SDN
and Network Automation
5 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tetration: Real-Time Analytics
Long-term Forensics and Auditing Application
Dependency Mapping
Automated Whitelist Policy Generation
Policy Compliance and Auditability
Policy Simulation and Impact Assessment
Forensics (example: flow search and flow anomaly)
Real-time analytics: <= 10 Minute Actionable Insight
Pervasive Sensors: Network and Host
NX-OS
Why your DC should be Policy Defined
7 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Complexity controllable
Speed Capacity Security
Fly-by-wire Auto-Pilot Automation Solution
Network today at the
Datacenter
As Network should look like
8 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application provisioning – it depends on the Perspective on …
IT customer (App, ..)
Network admin
9 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Language
Compute/Storage Language
Security Language
Application Language • Application tier policy and
dependencies • Security requirements • Service level agreement • Application performance • Compliance • Geo dependencies
Decouple Application and policy from Underlying
infrastructure Infrastructure
Common Policy
App Network Profile
UCS Service Profile
Policy: Links Application Language to Infrastructure
Decouple Application and policy from Underlying
infrastructure Infrastructure
Common Policy
App Network Profile
UCS Service Profile Policy-Driven
Infrastructure
10 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DC Automation by Abstraction
High-Level IT Prozess- Automation
Standard Infrastructure-Service-Catalogue
Infrastructure- Automation
Need Infrastructure Need Infrastructure
End-User Service Catalogue
API
API API API API
Physical and Virtual Resource Pools
11 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Working Together: End-to-End Orchestration Business (ITSM)
Prime Service Catalog, ServiceNow, Custom Development (DevOps)
CliQr, Jenkins
Application-Centric Lifecycle Management
Model Benchmark Deploy Manage
Application Profiles
UCS Director ACI
Nexus Switching Storage UCS
Datacenter Private Cloud Public Cloud Profile Profile
Hyper-V
Cisco Cloud Center
Application Centric Infrastructure
13 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI of Industry Adoption
6,000+ 50+ 1400+ Nexus 9K and ACI Customers Globally
Ecosystem Partners
ACI Customers
New ACI Ecosystem Partners
14 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
* Cisco Global IT Impact Survey
Applications Are Changing
Type Consumption Delivery
78% The network is even more critical to delivering applications than a year ago*
Big Data, Distributed
Apps, Mobile
Cloud–public, Private, Hybrid
Anywhere, Anytime, Any
Device
15 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI is a “better” Network
Easier to operate More secure Easier to automate
Distributed L4 firewall Microsegmentation
Integration with L4-L7 security
RESTAPI, API tools Github repository with many
examples SDKs (Python, Ruby,
Powershell)
Single point of management Zero-Touch Deployment
Embedded network management
Troubleshooting wizard NXOS-like CLI
16 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Open restful APIs Centralized policy model
Open source
Application Centric Infrastructure SDN in a System, Complete Automation & Application Focused, Physical & Virtual, Open APIs
Applications Centric Infrastructure
Controller Policy Model Nexus 9000
APIC
17 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next Gen Foundation with 2 Year Advantage Fabric Wide Cloud Scale and Services
P O W E R E D B Y C I S C O ASIC innovation using 16nm technology
Cost Advantage 25G/100G at price of 10/40G
Investment Protection for the next decade
Non-blocking Performance
Pervasive Visibility at Line Rate
Embedded Security at cloud scale
Enhanced Fabric Performance
50% Lower system cost, better reliability, lower power
Multi-speed ports 100M -100G IP storage, FCOE/FC ready
36p 100G line rate w/ single chip—25% more
Wire rate NetFlow
50% faster application completion time
8x more network segmentation vs competition Cloud scale endpoint density 6-7x 12x IPv6 routes Nexus 9200
Nexus 9300EX Nexus 9500
Cloud Scale Technology
18 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI is a DC network
APIC
Spines
Leafs
Controller
19 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Centric Infrastructure Policy based network configuration and network management
Applications
Network
APPLICATION CENTRIC POLICY
Latency
Health Score
82%
Isolation
Systems Telemetry
25 Packets dropped
Dev
20 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
An Innovative New Approach to Policy
Connectivity Security QoS L4-7 Services
APPLICATION NETWORK PROFILE
Contract Contract Contract
OUTSIDE DB APP WEB
ADC F/W ADC
What is an application policy?
End Point Group: A set of VMs / servers with the same policy 1. Contracts: A set of rules governing communication between groups 2. Service Chains: A set of network services between groups 3.
Application
21 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
One Application Centric Infrastructure for Both Modes of IT Rapid Provisioning and Agility
- Programmatic Network consumption
- Infrastructure as code
- Traditional concepts - Rapid provisioning API
Security as Policy
22 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It’s all about Policies – Everywhere Identity independend from location
SIM Card Identity for a Phone
Service Profile Identity for a Server
UCS Service Profile Unified Device Management
Network Policy
Storage Policy
Server Policy
Application Profile Identity for the Network
Security Integration into ACI
24 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Group Network Objects Based on Business Requirements
Development Lifecycle
Security Zone
Application Tier
25 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Security Automated Security With Built-In Multi-Tenancy
Distributed Stateless Firewall
Line Rate Security Enforcement
Open: Integrate Any Security Device
PCI, FIPS (New)
ACI Services Graph
Embedded Security
• White-list Firewall Policy Model • Authenticated Northbound API (X.
509) • Encrypted Management Plane
(TLS 1.2)
Micro-Segmentation
• VMware vDS, Microsoft Hyper-V, and Bare-metal workloads (New)
• Intra End Point Group Isolation (New)
• Attribute Based Isolation and Quarantine
Security Automation
• Dynamic Service Insertion and Chaining
• Security Policy Follows Workloads • Centralized Security Provisioning and
Visibility
* Note: Available: 1H CY 2016
26 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Policy – Dynamic network access lists when an Application is Created/Deleted
Denial log will help us identify what type of traffic is hitting the policy
Dynamic Endpoint Attachment helps identify new host detection and assignment to right policy group
L4-L7 Services Automation Example: Enterprise Software Company
Many Data Center customers use multiple firewalls and its hard for them to keep up with security changes
16X Reduction in Access Lists
Compliance
28 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• ACI is PCI certified • Common Criteria and FIPS certification in H2CY16
• Auto-Documentation • Prove compliance at any point in time • Policy = Configuration – guaranteed • Full audit: who did what and when • Backup and Restore full DC configuration
• End-Point-Tracking • Determine what was on network at any time
Enhanced Compliance and Full Day-0 Auditability
Visibility
30 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Visibility Health Scores, Centralized Management, Virtual and Physical
1
• Full visibility into underlay and overlay
• Dramatically simplifies troubleshooting and monitoring
2
• Single point of debugging and troubleshooting
• Troubleshooting Wizard • Remediation policies • Broad monitoring
ecosystem support with open APIs
3
• Correlate application and tenant view with undelaying infrastructure
• Tenant • Application
Health Scores
TENNANT APPLICATION
Centralized Management and Open APIs
Integrated Overlay/Underlay
Workload Independent, Integration and Openness
32 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VM1 VM2 VM1 VM1 VM2
KVM OpFlex Agent
V(X)LAN
Open vSwitch
ESXi Cisco AVS
V(X)LAN
VMware DVS
Hyper-V MSFT vSwitch
V(X)LAN
Docker OpFlex Agent
V(X)LAN
Open vSwitch
VM1 VM1 VM2 VM1 Docker1 Docker2
Docker1 Docker1
ACI - Consistent Policy Model Data Center: Physical, Virtual, Container, L4-L7, & Cloud
OpFlex OpFlex OpFlex OpFlex
33 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI: Open and Programmable
Programmable Open APIs
3rd Party Ecosystem Standards-Based Open Source
RESTful APIs
ACI Toolkit
Built by Third Party OpFlex
Group-Based Policy
VXLAN
1/10G, 40G, 100G
ACI Toolkit
Operations
35 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Availability Management • Design Service, Testing, Monitoring
• Service Transition • Change Management, Evaluation, Service Asset
• Capacity Management • Management, Reporting
• Incident Management • Root Cause Analysis, Graphical Troubleshooting
Operational Benefits with ACI
36 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Incident Management #1 Healthscores, tenant/application impact
Service Operation
Act first on the faults with
customer impact!
37 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Incident Management: L4-L7 services are included in the analysis
Service Operation
Use Cases
39 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bare Metal, Virtualized and Containers
VM Density and Converged/Hyperconverged Storage 10/25/40/50/100G Ethernet Transition
Hybrid-Cloud Over 54% Enterprises Moving to Hybrid Cloud
Big Data and Analytics: Foundational for Next Gen DC 25% CAGR IP Traffic Growth1
1. Cisco Global Cloud Index Forecast (2013-2017)
40 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Innovation Driving Application Performance Impact of ACI Fabric Innovations on Big Data Apps
100 150 200 250 300
ACI
Traditional Network
Time (s)
Case Study – Big Data Analytics
Based on common network load and link failure scenarios
Network Innovations Dynamic Load Balancing
Dynamic Packet Prioritization
Faster Completion Times
Congestion Management
60% 60% 90%
Network Utilization
41 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Delivering on Its Strategic Vision: 441% ROI With Next-Generation, Secure Data Center Powered by Cisco ACI
41
5-Year Cumulative Benefits
IN BUSINESS BENEFITS
$145M PAYBACK
11MTH FASTER
APPLICATION DEV. CYCLE
87% MORE EFFICIENT NETWORK OPS
83% IMPROVEMENT IN
BANDWIDTH
40X
“We did the planning, design and execution for this whole software-defined, ACI approach in four and a half months. That kind of speed is unheard of when implementing a leapfrogging technology.” Sheila Jordan, CIO, Symantec
Summary
43 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Driven Automation for “Cloud Operational Model”
IT as a Service IaaS | PaaS | SaaS | XaaS
Flexible Consumption Models
Foundational Challenges § Agility/Automation
§ Open/Programmability
§ Multi-tenancy/Segmentation
§ Scalability/Elasticity
§ Security/Compliance
§ Operations/TCO FOUNDATION
ORCHESTRATION
SELF SERVICE
ACI Solves
Storage Compute PaaS
Self Service Catalog
Cisco CloudCenter
44 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI
Application Centric Infrastructure
The Most Complete Solution for Our Customers
Automation through Common Policy
Physical, Virtual and Containers
Open, Standards-Based and Embedded Security
Q&A Erwin Breneis