Cisco ACI Introduction

Application Centric Infrastructure

V1.2 – May 2015

Datacenter SDN Technical Introduction

Christophe Compain ([email protected]) Technical Solutions Architect EMEAR N9K/ACI Team

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Network

« Application »

P P


VLAN

Subnets

Bridging

Routage

Adresses IP

HSRP/VRRP

VRFs

Network Infrastructure Language

WEB

APP

DB

« Application » Language

DEVOPS WEB2.0 BIG DATA

CONTAINERs

10/40/100G

Control/Data Plane Pre provisioning model

Overlay NFv

Agile model

Cloud PaaS

SaaS


Need agility, responsiveness and performance

Intranet

Others

App (ZONE2) DB (ZONE 3)

Time &

Labor

Extranet (CLOUD) (SaaS)

Intranet

Web front-end (ZONE1)

AD (ZONE SHARED)

SSO (ZONE SHARED)

VMs « X » Containers +

MEIOS

Bare Metals

App. Tier

Bare Metals VMs KVM

PHYSICAL

PH

YS

ICA

L

P/V

VIR

TUA

L

PHYSICAL


Intranet

Autres

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

1 2 3 4 5 6 7 8 9 10 Latency needs

L4-L7 Requirements

VLAN Space

L2 or L3 Connections

IPv4 or IPv6 Multicast needs

Workload mobility

Requirements

Virtual & Physical

communication

Subnet Overprovisioning Future Growth

•  VLAN •  IP Address •  Subnets •  Firewalls •  Quality of Service •  Load Balancer •  Access Lists

Network constructs are tightly coupled dictating physical and logical topology.


Network

« Application »

Complexity

P P


OF

Network

« Application »

Complexity

Network virtualization

P P

« Application » Modeling « Application »

telemetry


Taxonomy and principal building blocks

Centralized Control-Plane PROGRAMMABILITY OVERLAY NFv

•  Topology •  HA & Perf. •  Protocols •  Virtual/Physical

•  Use cases •  Devices or

Systems oriented •  API and SDK

•  IP Mobility •  Services •  Standard (VXLAN)

•  FW/LB and others •  Compatibility •  Support

SDN – V0 -  Custom. Routing -  High scale infra. management

SDN – V1 -  Network virtualization -  NFv / service chaining

SDN – V2 -  End to end provisioning


Network

« Application »

P P

« Application » Modeling


Policy based approach

VM attributes

@ ZONE2

VM VM

ZONE1

VM VM

ZONE3

Network

VM attributes - IP - Port - DNS

- IP - Port

P P


Traditional network Application Centric Infrastructure

Vlan 10 10.0.0.0/24

Vlan 20 20.0.0.0/24

Vlan 30 30.0.0.0/24

Vlan 40 40.0.0.0/24

« Physical » segmentation

Security and ACL segmentation

Subnet/VLAN segmentation

« Extended » subnet « Non extended » subnet

10.0.0.0/24

20.0.0.0/24

30.0.0.0/24

40.0.0.0/24

EPG-10

EPG-10

EPG-10

EPG-10

EPG-A EPG-B

Decoupling « apps » from network constructs

Policy between apps/components …

« Tier » segmentation

IP plan is independant of mobility facility and apps

belonging


Attributs VM

-  Security -  Load balancing -  Monitoring -  Control

@ ZONE2

VM VM

C C C ZONE1

VM VM

ZONE3

Network



Attributs VM - IP - Port - DNS

- IP - Port

P P


Attributs VM


@ ZONE2

VM VM

C C C ZONE1

VM VM

ZONE3

Network



Attributs VM - IP - Port - DNS

- IP - Port

P P

Rather than looking at the applications as individual network end-points, policy is driven viewing the application as a whole; the grouping of end-points and connectivity policies that makes up an

application or service.


P P

@ ZONE2

VM VM

ZONE1

VM VM

ZONE3

Network


Intranet

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO


Intranet

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

Database ZONE3

Time &Labor

ZONE2ext

Expenses ZONE2

SSO ZONE

SHARED2

Web Front-End

ZONE1

INTRANET

EXTRANET

Active Directory

ZONE SHARED1


Intranet

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

Database ZONE3

Time &Labor

ZONE2ext

Expenses ZONE2

SSO ZONE

SHARED2

Web Front-End

ZONE1

INTRANET

EXTRANET

Active Directory

ZONE SHARED1

Contract

Contract

Contract

Contract

Contract

Contract


Intranet

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

Database ZONE3

Time &Labor

ZONE2ext

Expenses ZONE2

SSO ZONE

SHARED2

Web Front-End

ZONE1

INTRANET

EXTRANET

Active Directory

ZONE SHARED1

Contract

Contract

Contract

Contract

Contract

Contract


Programmability

Intranet

Autres

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

Database Time

& Labor

Dépenses

SSO Frontal Web

INTRANET

EXTRANET

Active Directory

Contract

Contract

Contract

Contract

Contract

Contract

Contract

P P


P P

Management Platforms Resources Manager Automation Framework

XML (or json) <fvAp name=”myApp"> <fvAEPg name=”ZONE1"> <fvRsBd tnFvBDName=”BD-1" /> <fvRsProv tnVzBrCPName=”Contract1" /> <fvRsCons tnVzBrCPName=”Contract2" /> <fvRsDomAtt tDn="uni/vmmp-VMware/dom-datacenter" /> </fvAEPg> </fvAp>

REST API POST http://<APIC-IP>/api/mo/uni.xml


Programmability

Intranet

Autres

App

DB

Time &

Labor

Extranet

Intranet

WebFarm

AD

SSO

Database Time

& Labor

Dépenses

SSO Frontal Web

INTRANET

EXTRANET

Active Directory

Contract

Contract

Contract

Contract

Contract

Contract

Contract

P P

UCS (Q1CY16)

Storage systems (Post FCS)

OPEN SOURCE Open source OpFlex agent is available to anyone

OPEN ECOSYSTEM Broad, growing support including from hypervisor, network, and L4-7 vendors

OPEN STANDARD


•  Distributed control system based on a declarative policy information model. Key components: -  logically centralized policy repository (PR) -  distributed policy elements (PE) -  OpFlex Control protocol runs between PRs and PE

•  Communicate policy, events, statistics, and faults

•  JSON-XML (JSON-RFC 1.0, over TCP) or OpFlex-Binary-RPC as transport protocol

•  DevOps inspired – Builds on “Promise Theory” (similar to Puppet, CFEngine): -  PEs act as autonomous agents (pulling policy from PRs) -  PEs retrieve an intent/a policy from the PR; In response “promise” to the PR to implement the intent

-  Policy is “uncertain”, or is considered to have a lifetime, hence is refreshed at regular intervals (defined by the “policy refresh rate”)

-  No hierarchy assumed (“peering-style” protocol)

•  IETF Draft http://tools.ietf.org/html/draft-smith-opflex-00

•  Opflex for ACI, OpFlex agent created for Open vSwitch, group policy API developped in OpenDayLight, third party OpFlex agent for LB/FW … …


The policy endpoint interprets the policy and maps it to its hardware capabilities

Policy Repository

A policy authority (e.g. APIC, OpenDaylight Controller) manages a logical model of desired state

Policy Resolution

Policy Element (Agent/Plugin)

Policy Update

Operating System

Render to configuration Device

Subset of Policy

Device Config (VLANs, Ports, …)


Partner ACI Integration ETA

Palo Alto Network •  Automation of security policies and central point of mgmt through APIC - Q2CY15

A10 •  SLB policy automation, service chaining & insertion, health score OK

Check Point •  Automation of security policies and central point of mgmt through APIC OK

Radware •  Automation of ADC and DDoS policies, with central point of mgmt through APIC - OK

Cisco CSR •  Automation of NAT and SGT policies (under discussion), with central point of mgmt Q3 CY15

Cisco WAAS •  Automation of WAN Optimization policies, with central point of mgmt through APIC Q3 CY15

Fortinet •  Automation of security policies and central point of mgmt through APIC TBD

Riverbed •  Automation of virtual ADC & WAN Opt policies, with central point of mgmt through APIC

TBD

F5 •  BIG-IP physical and Virtual Edition – v 11.4.1 OK

Citrix •  Netscaler MDX,SDX, •  VPX – v 10.1.e NetScaler1000v

OK

Cisco ASA •  ASA 5585 – v 8.4 •  ASAv – v 9.2.1

OK

Cisco Sourcefire OK


VM Attributes


@ ZONE2

VM VM

C C C ZONE1

VM VM

ZONE3

Network



VM Attributes - IP - Port - DNS

- IP - Port

WEB Vlan 500

WEB

NVGRE 9730

Port Group WEB

Vlan 500

VM Network APP NVGRE 9730

P P

VM VM


VM Attributes


@ ZONE2

VM VM

C C C ZONE1

VM VM

ZONE3

Network



VM Attributes - IP - Port - DNS

- IP - Port

Port Group WEB

Vlan 500

VM Network APP NVGRE 9730

P P

VM VM

ACI Fabric -  Centralized Control-Plane (Hybrid mode) -  IP Network with integrated overlay (VXLAN) -  Full IP mobility -  Distributed gateway and optimal forwarding -  Designed for 1M hosts

+ Cisco network innovations


P P

Congestion Management

60% 60% 90%

Dynamic Load Balancing

Dynamic Packet Prioritization


Congestion Management

60% 60% 90%

Dynamic Load Balancing

Dynamic Packet Prioritization

100 150 200 250 300

ACI

Traditional Network

Time (s)

Big data Use Case


Remove the problems of forcing the network to fit

Forwarding is defined by Policy EPG ‘ZONE1’ can talk to EPG ‘ZONE2’ independent of IP subnet, VLAN/VXLAN, VRF if Policy says it should in the application network profile

Multiples sources

1 source

% of Implemented hypervisor

802.1Q VLAN 55

NVGRE VSID 5165

VXLAN VNID 8765

10.10.11.12 VRF Retail Bank

10.10.11.12 VRF Shared

192.168.11.3 VRF Storage

True ‘Any to Any’ Connectivity

Forwarding within the Fabric is defined by forwarding policy

defined by the Network Profile (EPG) policy, ‘not’ by the VLAN,

VXLAN, Subnet, VRF, …

Port 1/4

Port 8/2 Agnostic server connections Workload independent Coherency and automation

P P


P P

@

@

ZONE2

VM VM

ZONE1

VM VM

ZONE3

VM

IP services could be directly managed by APIC

Packet match on a redirection rule sends the packet into a services graph. Service Graph can be one or more service nodes pre-defined in a series. Service graph simplifies and scales service operations

Ecosystem : automation thru the insertion of “device packages” (version, device, rules ) Other equipment : integration by scripting VM


Network

« Application »

P P


P P

Packets(sent(from(Leaf(#2(to(Leaf(#5(

Path(1( 2068(

Path(2( 2963(

Path(3( 2866(

Path(4( 2506(

Difference(

Path(1( 2(

Path(2( 0(

Path(3( 13(

Path(4( 0(

Packets(Received(on(Leaf(#5(sent(from(Leaf(#2(

Path(1( 2066(

Path(2( 2963(

Path(3( 2869(

Path(4( 2506(

Consistancy of the counters (atomic) inside the Fabric

Latency computation (IEEE 1588)

Granularity from the TCP port to the EP belonging to an EPG


Application-Level Visibility

Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters

ZONE1 ZONE2 ZONE 3 Event

ZONE1 Dev •  Leaf 1 and 2 •  Spine 1 – 3 •  Atomic counters

ZONE2 PROD •  Leaf 2 and 3 •  Spine 1 – 2 •  Atomic counters

ZONE3 QA •  Leaf 3 and 4 •  Spine 2 – 3 •  Atomic counters

VXLAN Per-Hop Visibility

Physical and Virtual as One

ACI Fabric provides the next generation of analytic capabilities

Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption

Integrate with workload placement or migration

Triggered Events or Queries

APIC


APIC NEXUS 9500 and 9300 POLICY MODEL


High-Performance 10 Gbps/40 Gbps/100 Gbps Switch Family

FLEXIBLE FORM FACTORS CAN ENABLE VARIABLE DATA CENTER DESIGN AND SCALING

Nexus® 9300 Nexus 9500

48 1/10G SFP+ & 12 QSFP+

SC

ALA

BLE

1

GE

/10

Gbp

s/40

Gbp

s/10

0 G

E

PE

RFO

RM

AN

CE

PERFORMANCE PORTS PRICE PROGRAMMABILITY POWER

FCS Q4

2013

96 1/10G-T & 8 QSFP+ FCS Q1

2014

12-port QSFP+ GEM FCS Q1

2014

ACI Ready Leaf Line Card 48 1/10G-T & 4 QSFP+

FCS Q1

2014

ACI-ready Leaf line card 48 1/10G SFP+ & 4 QSFP+

FCS Q1

2014

Aggregation line card 36 40G QSFP+

FCS Q4

2013

C9500 8-Slot FCS Q4

2013


Removing 40 Gb Barriers

Problem

•  40 Gb optics are a significant portion of capital expenditures (CAPEX)

•  40 Gb optics require new cabling

•  Re-use existing 10 Gb MMF cabling infrastructure •  Re-use patch cables (same LC connector)

Solution

•  QSFP, MSA-compliant •  Dual LC connector •  Support for 100 m on OM3 and upto 150m on OM4 •  TX/RX on two wavelengths at 20 Gb each

Cisco® 40 Gb SR-BiDi QSFP

Available end of CY13 and supported across all Cisco QSFP ports


Software Upgrade

Q4 CY2013

Standalone mode NX-OS

APIC

Since Summer 2014

Performance and Scale Security Simplicity Open Agility Automation

and Visibility Agility Simplicity Visibility Performance Security Open

ACI Mode


Extend ACI to local hypervisors

vSwitch

Extend ACI to WAN/DCI

Interconnect to existing DC Networks

Let me just run my network (but fix my Flooding,

Mobility, Configuration,

Troubleshooting challenges)

AVS

AVS

Extend ACI to to existing Nexus installations via a full ACI VXLAN

Switching Enabled Hypervisor ‘and’ remote ACI Physical Leaf

vSwitch

ABSOLUTELY NOT !!!


APIC

2K-7K Fabric

AVS AVS

Hosts App

OS

App

OS

Virtual Physical

N9K ACI

9K ACI Leaf Overlay •  Full Policy & Management Model •  Seamless HW GWY integration

APIC

Hosts App

OS

App

OS

Virtual Physical

ACI Policy Block

EPG Extension •  Full Policy Model •  Zero impact to existing fabric

2K-7K Fabric

Extend Integrate

APIC

N2K FEX

N2K Integration in ACI Fabric •  Deploy N2K in ACI fabric

WAN/DCI Or DC Core

Nexus 7x00

APIC

ACI Integrated N7K/ASR9K DCI •  Automated DCI integration •  Large Scale Tenant Extension


Nexus 2200 FEX Support

•  Investment protection •  Cost-effective 100 Mbps / 1 Gbps server access •  FEX support scalability ̶  Up to 32 FEXs per Nexus® 9500 ̶  Up to 16 FEXs per Nexus 9300

Nexus 2248TP Nexus 2248TP-E

Nexus 2232PP-10Gbps Nexus 2232TM Nexus 2232TM-E Nexus 2248PQ Nexus B22-HP

Nexus B22-Dell


Cisco ACI: Simply A Better Approach

ACI

Systems + ASICs+ Software

Choice: Hypervisor/Open Source/ Operational Models

Scale-out Performance

Systems Approach

Secure Workload Placement

Application Visibility + Health Metrics

Common Policy Model

Physical + Virtual

LOWER TCO

SIM

PLI

CIT

Y, S

CA

LE ,

SE

CU

RIT

Y

“DIY” Basic Switching

White Box Merchant Silicon

Traditional Switching

Integrated Hardware and Switching Software

Software Only

Virtual Overlay

VM-Based Policy

SDN LAN Emulation

VM Mobility

Application and End-point Aware

Scale Limitations Operational Disruptions

Dependent on Hypervisor


End of april 2015

2,655+ Nexus 9K and ACI Customers Globally

585+ APIC Customers

APPLICATION

COMPUTE NETWORK

CLOUD

STORAGE SECURITY

35 Ecosystem Partners


Reduce Network Provisioning

58% Reduce

Management Costs

21% Reduce Power

and Cooling Costs

45% CAPEX

Reduction

25% Compute and

Storage Optimization

10–20%

Greater Business

Agility

Lower Capital

Expenses

Reduced Costs/

Complexity

Lower Operating

Cost

Resource Optimization


“It’s critical that we are able to deliver hundreds of thousands of transactions per second, so latency and 40G throughput is a number one concern. After evaluating numerous vendor solutions, Cisco's Nexus 9000 switching platform provided us with the best performance to support our evolving data centers, while protecting existing IT investments."

Bob Hammond, CTO, Millennial Media

“Symantec is an early adopter of Cisco's ACI, leveraging the technology within our own Agile Data Center. Cisco ACI brings the scalability and efficiency we need while enabling us to truly bring next generation networking capabilities to our customers.” Jon Sanchez, Director of Data Center Services, Symantec


Centralized Provisioning Tool Program abstraction model on physical infrastructure In charge of Infrastructure bring up and operations Telemetry with health checks per applications

Automated Host Based Routing Fabric Encapsulation normalization Workload normalization (physical / virtual) Enhance applications performance

Open System with public APS (North and South) Large ecosystem allowing unified provisioning through APIC

New communications language aligned Applications Teams expectations


ZONE1 ZONE2 ZONE3

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4


First, we need a way to identify and group together end points.

ZONE1 ZONE2 ZONE3

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4


In the ACI model, we do this using the End Point Group (EPG).

EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4


A collection of EPGs and the policies that define how they communicate form an Application Profile.

EPG “Web” EPG “App” EPG “DB” EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4


Once we have our EPGs defined, we need to create policies to determine how they communicate with each other.

Contracts


EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4


A contract typically refers to one or more ‘filters’ to define specific protocols, ports or services allowed between EPGs.

Filters TCP: 80

TCP: 443

Services Chaining


EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

EP1 EP2

EP3 EP4

Technology

Cisco ACI Introduction