Upload
cisco-canada
View
1.063
Download
0
Embed Size (px)
Citation preview
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco ACI Hands-on LabAzeem Suleman - Principal Engineer, Insieme Business Unit Nadir Lakhani – Systems Engineer, Sales
18th May 2016
In collaboration with
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
• You should have laptop or device that can access to dCloud for the lab
• Have enough power or energy to live for 4 hours
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Global Traction Across All Market Segments
6,000+ 50+1400+Nexus 9K and ACI
Customers GloballyEcosystemPartners
ACICustomers
NEW ECOSYSTEM
Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.
Evolution of Data Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Accelerating Convergence DisruptionsThrough Innovation…
2005 2010 2014 2016+
Innovation Timeline
Data Voice Video
ComputeNetworkStorage
Application NetworkScale & Security
AnalyticsHyperConvergence
Cloud Scale
IPConvergence
Virtualization
ApplicationEconomy
Hybrid Cloud
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Security Everywhere9
Analytics Everywhere10
8 Policy Everywhere
Policy-Driven Integrated Infrastructure Answers Customers’ Request
1
Modernize Infrastructure:Open and Programmable
Network / L4-7ComputeStorageSecurity
Data Center
5
Move Data and Workloads Securely
6
Self-Service Portal(IT as a Service)
7
Extend Policy Model
2
Automateand Simplify
POLICY
3
Build Your Hybrid Cloud
Private Cloud Stack
Integrated Infrastructure
4
Choose any Other Cloud
Managed
Public
Private
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
A Generation Ahead:Leapfrogging the Competition
2012 2014 2015 20172016 2018
Feat
ures
and
Cap
abili
ties
Competition
2 Year Dev Cycle
Cisco
18 Month Dev Cycle
N9K Gen1 ASICs28nm
T240nm
TH28nm
N9K Gen2 ASICs16nm
New Switches every 18 months
Jericho28nm
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Next Gen Foundation with 2 Year Advantage
Fabric Wide Cloud Scale and Services
P O W E R E D B Y C I S C O ASIC innovation using 16nm technology
Cloud Scale Technology
Cost Advantage25G/100G at price of 10/40G
Investment Protectionfor the next decade
Non-blocking Performance Pervasive Visibility at Line Rate
Embedded Security at cloud scale
Enhanced Fabric Performance
50% Lower system cost, better reliability, lower power
Multi-speed ports 100M -100GIP storage, FCOE/FC ready
36p 100G line rate w/ single chip—25% more
Wire rate NetFlow
50% faster application completion time
8x more network segmentation vs competitionCloud scale endpoint density 6-7x12x IPv6 routesNexus 9200
Nexus 9300EX Nexus 9500
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Modular Cloud Scale Platform for Spine/Aggregation
Cloud Economics: Starts at $1,500 US List per 100G Port
Cloud Network Requirements
Shift to scale-out architectures based on Spine/Leaf routed designs
Support for workload mobility and dynamic traffic flow optimization
Granular control and telemetry at tenant and application level
Automation at scale
Available NowNexus 9500
Build for generations
Best Price-Performance Available TodayFull Internet Route Table – 1M+Up to 512 line rate 100G ports per chassisConverged Fabric for IP storage
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1010© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Organizational Transformation with ACI
Ultimate Goal: Achieve Application Agility with Minimal RiskPolicy-driven Framework Across All Elements of the Infrastructure, Private and Public Cloud
• Deploy a modern, programmable infrastructure
• Train/upgrade the skillset of your team on programmable APIs
Step 1:Network Automation
Step 2:Services Automation
Step 3: Application Based Automation
• Integrate additional L4-L7 services
• Deploy applications based on policy templates
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Application Centric Infrastructure (ACI)Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC POLICY CONTROLLERNEXUS 9500 AND 9300
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Architecture
Service Producers EPG “Users”EPG “Files”
Leaf Nodes
Spine Nodes
EPG “Internet”
AVS
Service Consumers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Application Policy Model and Instantiation
All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements
Application ClientApplication policy model: Defines
the application requirements (application network profile)
Policy instantiation: Each device dynamically instantiates the required changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
App Tier DB Tier
Storage Storage
Web Tier
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Access Methodology• CLI (Command-line interface)
Means of interacting with a computer program where user issues commands to the program in the form of successive lines of text (command lines)
• GUI (Graphical user interface)Interface that allows users to interact with devices through graphical icons and visuals
• Programmable interfaceSoftware components / objects exposed to be called directly by other programs
• Open Source Tool ACI Toolkit – Configuration Roll Back, Endpoint Tracker and other applications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ACI Toolkit• Simple toolkit built on top of APIC API
• Set of simple python classesPython LibraryUsed to generate REST API callsRuns locally
• Small number of classes~30 currently“Intuitive” names
• Not full functionality, most commonFocused primarily on configuration
• Preserves the ACI basic conceptsTenants, EPGs, Contracts, etc.
APIC
ACI Toolkit
LinuxCommands
NX-OS likeCLI
CustomPython Scripts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ACI Release Timeline
A (11.0)Aug’14
CY14
11.0 MR1Nov’14
11.0 MR2Feb’15
11.0 MR3May’15
CY15
B (11.1)Jun’15
11.1 MR1Aug’15
CY16
11.2Dec’15
CongoQ3CY16
11.2. MR1Feb’16
11.1 MR3Nov’15
11.2 MR2Q2CY16
11.1 MR2Sep’15
16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Overloaded Network Constructs
VLAN VLAN VLAN
Subnet Subnet Subnet
Basic Network Policy SLAs L4-7 Services
Network constructs are overloaded with unintended functionality.17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Some new (or not so new) terms: Tenants, VRF (Context), Bridge Domains, Application Network Profiles, Endpoint Groups, Contracts/Filters
18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Bridge Domain (BD)• Unique layer 2 (L2) or layer 3 (L3) forwarding domain
• Can contain one or more subnets (if unicast routing is enabled)
• Each bridge domain must be linked to a context (VRF)
Equivalent Network Construct:
• If a BD is configured as L2 forwarding domainIt will have one or more associated VLANsEach VLAN will be equal to EPG
• If a BD is configured as L3 forwarding domainThis is equivalent to a SVI with one or more subnets per BD
NOTE: BD can span across multiple switches
19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Bridge Domain (BD) ModesL2 Unknown Unicast ARP Flooding Unicast Routing Unknown Multicast
Flooding
Flood – packet is flooded within a BD
Enabled: ARP Packets are flooded in the BD Enabled: define subnets
Flood:• Ingress TOR: Flood• Egress TOR
• If router port exists on any BD: Flood to FP ports
• If transit: Send to fabric
Hardware Proxy – packet sent only to Proxy Spine
Disabled:• ARP Packets undergo L3
unicast lookup for Target IP in VRF
• ARP behaves like L3 unicast packet until it reaches egress TOR
Disabled: no subnets defined
Optimized Flood (Up to ~75 BDs per TOR)
Sent only to Router Ports in the Fabric
20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Object RelationshipTenant
Context
BD
Subnet A
Subnet B
BD
Subnet C
Context
BD
Subnet B Subnet C
21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
End Point Group (EPG)• Set of host(s) that behave the same
• Behavior describes as all host(s) representing application or application components independent of other network constructs
HTTPS Service
HTTPS Service
HTTPS Service
HTTPS Service
HTTP Service
HTTP Service
HTTP Service
HTTP Service
EPG - Web
POLICY MODEL
22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Application Network Profile (ANP)• Application Network Profile(s) are group of EPGs and the policies that define the
communication between them
Inbound/Outbound Policies
Inbound/Outbound Policies
Application Network Profile
POLICY MODEL
=
EPG - WEB EPG - APP EPG - DB
23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Contracts• Defines the way in which EPGs interact
EPG A
EPGB
EPG CContract 02
The policy model allows for both unidirectional and
bidirectional policies.
Unidirectional Communication
Bidirectional CommunicationContract 01
Ex: ACI Logical Model applied to the “3-Tier App” ANP
24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Infrastructure Virtualization, Operations
Multi-PoD WAN Integration (GOLF)
VXLAN EVPN BGP (iBGP and eBGP) for IPv4 and IPv6
Opflex Push to N7K, ASR9K QSA Support on –EX Spine/Leaf FCoE NPV, PFC (802.1Qbb)
Routing & Switching PBR and Policy Based Service
Insertion Symmetric Multipath Load
Balancing & Redirection Mcast Routing PIM Support
(PIM-SM/SSM/Bidir) on –EX HW
ACI vCenter Plugin Multiple vCenter per fabric (50) AVS
vRealize VEM Commands from
APIC EPG health score
WAP 2.0 + Service Chaining
OpenStack ‘Liberty’ Support Hierarchical VLANs VMware Hypervisor integration GBP + ML2 Unified Plugin
Routing & Switching OSPF in-bound area filtering BGP limit maximum AS (maxas-
limit) 64 way ECMP
Visibility and Analytics Analytics support on –EX HW Copy Service
Security Permit logging
Congo Release – 2.x Execute Committed
Target Q3 CY 2016
Hardware : DC48V Support(Fixed and
Modular Spine) DOM on ACI Mode
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Multiple ACI Pods connected by an IP Inter-PodL3 network, each Pod consists of leaf and spinenodesManaged by a single APIC Cluster
Single Management and Policy Domain
Forwarding control plane (IS-IS, COOP)fault isolationData Plane VXLAN encapsulation betweenPods
End-to-end policy enforcement
ACI Multi-Pod SolutionOverview
Inter-Pod Network
Pod ‘A’
MP-BGP - EVPN
…
Single APIC ClusterIS-IS, COOP, MP-BGP
Pod ‘n’
IS-IS, COOP, MP-BGP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
L3 core>2 interconnected sites
ACI Multi-Pod SolutionUse Cases
Handling 3-tiers physicalcabling layout
Cable constrain (multiplebuildings, campus, metro)requires a second tier of “spines”Preferred option when comparedto ToR FEX deployment
Evolution of Stretched Fabricdesign
Metro Area (dark fiber, DWDM),
Inter-POD And
WAN/DCI
ACI Fabric ‘B’
ACI Fabric ‘A’
ACI Fabric ‘E’
ACI Fabric ‘D’
ACI Fabric ‘C’
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
ACI Integration with WAN at Scale‘Project GOLF’ Overview
Addresses both control plane and dataplane scale
VXLAN data plane between ACI spines andWAN RoutersBGP-EVPN control plane between ACI spinesand WAN routersOpFlex for exchanging config parameters (VRFnames, BGP Route-Targets, etc.)
Consistent policy enforcement on ACI leafnodes (for both ingress and egressdirections)
‘GOLF’ Router support (Q3CY16)Nexus 7000, ASR9000 and ASR1000 (not yetcommitted)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ACI Integration with WAN at ScaleSupported Topologies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
New Automation: Cisco Nexus Fabric ManagerSingle Point, Fabric-Wide Management
Build and self-manage VXLAN-based fabricFully deploy in three stepsZero-touch provisioning
Dynamically configure switches Simplify management with point-and-click user interface
Fabric Management Lifecycle
Creation Expansion
Fault MgmtReporting
Connection
NFM
Automate
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Traditional Script-Based Approaches
• Hard-Wired
• Workflow
• Custom Scripting
• Rigid
• Change PaaS ?...
• Breaks System
• Re-Scripting Required
• Change Cloud ?...
• Breaks System
• Re-Scripting Required
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
CliQr CloudCenter:Any App, Any Cloud, One Platform
Private Clouds
Datacenters
Public Clouds
Model
Manage
Deploy
Profile
NFS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Working Together: End-to-End OrchestrationBusiness (ITSM)
Prime Service Catalog, ServiceNow, CustomDevelopment (DevOps)
CliQr, Jenkins
Application-Centric Lifecycle Management
Model Benchmark Deploy Manage
Application Profiles
UCS Director ACI
NexusSwitchingStorageUCS
Datacenter Private Cloud Public CloudProfileProfile
Hyper-V
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
34
How to access lab
URL: http://dcloud.cisco.com/
Username: CiscoLiveStudent1 – 24
Password: C1sc0123live
Thank you.
In collaboration with