Upload
cisco
View
314
Download
7
Tags:
Embed Size (px)
Citation preview
Application Centric Infrastructure
V1.2 – May 2015
Datacenter SDN Technical Introduction
Christophe Compain ([email protected]) Technical Solutions Architect EMEAR N9K/ACI Team
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Network
« Application »
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
VLAN
Subnets
Bridging
Routage
Adresses IP
HSRP/VRRP
VRFs
Network Infrastructure Language
WEB
APP
DB
« Application » Language
DEVOPS WEB2.0 BIG DATA
CONTAINERs
10/40/100G
Control/Data Plane Pre provisioning model
Overlay NFv
Agile model
Cloud PaaS
SaaS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Need agility, responsiveness and performance
Intranet
Others
App (ZONE2) DB (ZONE 3)
Time &
Labor
Extranet (CLOUD) (SaaS)
Intranet
Web front-end (ZONE1)
AD (ZONE SHARED)
SSO (ZONE SHARED)
VMs « X » Containers +
MEIOS
Bare Metals
App. Tier
Bare Metals VMs KVM
PHYSICAL
PH
YS
ICA
L
P/V
VIR
TUA
L
PHYSICAL
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Intranet
Autres
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
1 2 3 4 5 6 7 8 9 10 Latency needs
L4-L7 Requirements
VLAN Space
L2 or L3 Connections
IPv4 or IPv6 Multicast needs
Workload mobility
Requirements
Virtual & Physical
communication
Subnet Overprovisioning Future Growth
• VLAN • IP Address • Subnets • Firewalls • Quality of Service • Load Balancer • Access Lists
Network constructs are tightly coupled dictating physical and logical topology.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network
« Application »
Complexity
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
OF
Network
« Application »
Complexity
Network virtualization
P P
« Application » Modeling « Application »
telemetry
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Taxonomy and principal building blocks
Centralized Control-Plane PROGRAMMABILITY OVERLAY NFv
• Topology • HA & Perf. • Protocols • Virtual/Physical
• Use cases • Devices or
Systems oriented • API and SDK
• IP Mobility • Services • Standard (VXLAN)
• FW/LB and others • Compatibility • Support
SDN – V0 - Custom. Routing - High scale infra. management
SDN – V1 - Network virtualization - NFv / service chaining
SDN – V2 - End to end provisioning
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Network
« Application »
P P
« Application » Modeling
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Policy based approach
VM attributes
@ ZONE2
VM VM
ZONE1
VM VM
ZONE3
Network
VM attributes - IP - Port - DNS
- IP - Port
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Traditional network Application Centric Infrastructure
Vlan 10 10.0.0.0/24
Vlan 20 20.0.0.0/24
Vlan 30 30.0.0.0/24
Vlan 40 40.0.0.0/24
« Physical » segmentation
Security and ACL segmentation
Subnet/VLAN segmentation
« Extended » subnet « Non extended » subnet
10.0.0.0/24
20.0.0.0/24
30.0.0.0/24
40.0.0.0/24
EPG-10
EPG-10
EPG-10
EPG-10
EPG-A EPG-B
Decoupling « apps » from network constructs
Policy between apps/components …
« Tier » segmentation
IP plan is independant of mobility facility and apps
belonging
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Attributs VM
- Security - Load balancing - Monitoring - Control
@ ZONE2
VM VM
C C C ZONE1
VM VM
ZONE3
Network
- Security - Load balancing - Monitoring - Control
- Security - Load balancing - Monitoring - Control
Attributs VM - IP - Port - DNS
- IP - Port
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Attributs VM
- Security - Load balancing - Monitoring - Control
@ ZONE2
VM VM
C C C ZONE1
VM VM
ZONE3
Network
- Security - Load balancing - Monitoring - Control
- Security - Load balancing - Monitoring - Control
Attributs VM - IP - Port - DNS
- IP - Port
P P
Rather than looking at the applications as individual network end-points, policy is driven viewing the application as a whole; the grouping of end-points and connectivity policies that makes up an
application or service.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
P P
@ ZONE2
VM VM
ZONE1
VM VM
ZONE3
Network
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Intranet
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Intranet
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
Database ZONE3
Time &Labor
ZONE2ext
Expenses ZONE2
SSO ZONE
SHARED2
Web Front-End
ZONE1
INTRANET
EXTRANET
Active Directory
ZONE SHARED1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Intranet
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
Database ZONE3
Time &Labor
ZONE2ext
Expenses ZONE2
SSO ZONE
SHARED2
Web Front-End
ZONE1
INTRANET
EXTRANET
Active Directory
ZONE SHARED1
Contract
Contract
Contract
Contract
Contract
Contract
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Intranet
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
Database ZONE3
Time &Labor
ZONE2ext
Expenses ZONE2
SSO ZONE
SHARED2
Web Front-End
ZONE1
INTRANET
EXTRANET
Active Directory
ZONE SHARED1
Contract
Contract
Contract
Contract
Contract
Contract
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Programmability
Intranet
Autres
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
Database Time
& Labor
Dépenses
SSO Frontal Web
INTRANET
EXTRANET
Active Directory
Contract
Contract
Contract
Contract
Contract
Contract
Contract
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
P P
Management Platforms Resources Manager Automation Framework
XML (or json) <fvAp name=”myApp"> <fvAEPg name=”ZONE1"> <fvRsBd tnFvBDName=”BD-1" /> <fvRsProv tnVzBrCPName=”Contract1" /> <fvRsCons tnVzBrCPName=”Contract2" /> <fvRsDomAtt tDn="uni/vmmp-VMware/dom-datacenter" /> </fvAEPg> </fvAp>
REST API POST http://<APIC-IP>/api/mo/uni.xml
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Programmability
Intranet
Autres
App
DB
Time &
Labor
Extranet
Intranet
WebFarm
AD
SSO
Database Time
& Labor
Dépenses
SSO Frontal Web
INTRANET
EXTRANET
Active Directory
Contract
Contract
Contract
Contract
Contract
Contract
Contract
P P
UCS (Q1CY16)
Storage systems (Post FCS)
OPEN SOURCE Open source OpFlex agent is available to anyone
OPEN ECOSYSTEM Broad, growing support including from hypervisor, network, and L4-7 vendors
OPEN STANDARD
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• Distributed control system based on a declarative policy information model. Key components: - logically centralized policy repository (PR) - distributed policy elements (PE) - OpFlex Control protocol runs between PRs and PE
• Communicate policy, events, statistics, and faults
• JSON-XML (JSON-RFC 1.0, over TCP) or OpFlex-Binary-RPC as transport protocol
• DevOps inspired – Builds on “Promise Theory” (similar to Puppet, CFEngine): - PEs act as autonomous agents (pulling policy from PRs) - PEs retrieve an intent/a policy from the PR; In response “promise” to the PR to implement the intent
- Policy is “uncertain”, or is considered to have a lifetime, hence is refreshed at regular intervals (defined by the “policy refresh rate”)
- No hierarchy assumed (“peering-style” protocol)
• IETF Draft http://tools.ietf.org/html/draft-smith-opflex-00
• Opflex for ACI, OpFlex agent created for Open vSwitch, group policy API developped in OpenDayLight, third party OpFlex agent for LB/FW … …
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The policy endpoint interprets the policy and maps it to its hardware capabilities
Policy Repository
A policy authority (e.g. APIC, OpenDaylight Controller) manages a logical model of desired state
Policy Resolution
Policy Element (Agent/Plugin)
Policy Update
Operating System
Render to configuration Device
Subset of Policy
Device Config (VLANs, Ports, …)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Partner ACI Integration ETA
Palo Alto Network • Automation of security policies and central point of mgmt through APIC - Q2CY15
A10 • SLB policy automation, service chaining & insertion, health score OK
Check Point • Automation of security policies and central point of mgmt through APIC OK
Radware • Automation of ADC and DDoS policies, with central point of mgmt through APIC - OK
Cisco CSR • Automation of NAT and SGT policies (under discussion), with central point of mgmt Q3 CY15
Cisco WAAS • Automation of WAN Optimization policies, with central point of mgmt through APIC Q3 CY15
Fortinet • Automation of security policies and central point of mgmt through APIC TBD
Riverbed • Automation of virtual ADC & WAN Opt policies, with central point of mgmt through APIC
TBD
F5 • BIG-IP physical and Virtual Edition – v 11.4.1 OK
Citrix • Netscaler MDX,SDX, • VPX – v 10.1.e NetScaler1000v
OK
Cisco ASA • ASA 5585 – v 8.4 • ASAv – v 9.2.1
OK
Cisco Sourcefire OK
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
VM Attributes
- Security - Load balancing - Monitoring - Control
@ ZONE2
VM VM
C C C ZONE1
VM VM
ZONE3
Network
- Security - Load balancing - Monitoring - Control
- Security - Load balancing - Monitoring - Control
VM Attributes - IP - Port - DNS
- IP - Port
WEB Vlan 500
WEB
NVGRE 9730
Port Group WEB
Vlan 500
VM Network APP NVGRE 9730
P P
VM VM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
VM Attributes
- Security - Load balancing - Monitoring - Control
@ ZONE2
VM VM
C C C ZONE1
VM VM
ZONE3
Network
- Security - Load balancing - Monitoring - Control
- Security - Load balancing - Monitoring - Control
VM Attributes - IP - Port - DNS
- IP - Port
Port Group WEB
Vlan 500
VM Network APP NVGRE 9730
P P
VM VM
ACI Fabric - Centralized Control-Plane (Hybrid mode) - IP Network with integrated overlay (VXLAN) - Full IP mobility - Distributed gateway and optimal forwarding - Designed for 1M hosts
+ Cisco network innovations
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
P P
Congestion Management
60% 60% 90%
Dynamic Load Balancing
Dynamic Packet Prioritization
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Congestion Management
60% 60% 90%
Dynamic Load Balancing
Dynamic Packet Prioritization
100 150 200 250 300
ACI
Traditional Network
Time (s)
Big data Use Case
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Remove the problems of forcing the network to fit
Forwarding is defined by Policy EPG ‘ZONE1’ can talk to EPG ‘ZONE2’ independent of IP subnet, VLAN/VXLAN, VRF if Policy says it should in the application network profile
Multiples sources
1 source
% of Implemented hypervisor
802.1Q VLAN 55
NVGRE VSID 5165
VXLAN VNID 8765
10.10.11.12 VRF Retail Bank
10.10.11.12 VRF Shared
192.168.11.3 VRF Storage
True ‘Any to Any’ Connectivity
Forwarding within the Fabric is defined by forwarding policy
defined by the Network Profile (EPG) policy, ‘not’ by the VLAN,
VXLAN, Subnet, VRF, …
Port 1/4
Port 8/2 Agnostic server connections Workload independent Coherency and automation
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
P P
@
@
ZONE2
VM VM
ZONE1
VM VM
ZONE3
VM
IP services could be directly managed by APIC
Packet match on a redirection rule sends the packet into a services graph. Service Graph can be one or more service nodes pre-defined in a series. Service graph simplifies and scales service operations
Ecosystem : automation thru the insertion of “device packages” (version, device, rules ) Other equipment : integration by scripting VM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Network
« Application »
P P
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
P P
Packets(sent(from(Leaf(#2(to(Leaf(#5(
Path(1( 2068(
Path(2( 2963(
Path(3( 2866(
Path(4( 2506(
Difference(
Path(1( 2(
Path(2( 0(
Path(3( 13(
Path(4( 0(
Packets(Received(on(Leaf(#5(sent(from(Leaf(#2(
Path(1( 2066(
Path(2( 2963(
Path(3( 2869(
Path(4( 2506(
Consistancy of the counters (atomic) inside the Fabric
Latency computation (IEEE 1588)
Granularity from the TCP port to the EP belonging to an EPG
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Application-Level Visibility
Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters
ZONE1 ZONE2 ZONE 3 Event
ZONE1 Dev • Leaf 1 and 2 • Spine 1 – 3 • Atomic counters
ZONE2 PROD • Leaf 2 and 3 • Spine 1 – 2 • Atomic counters
ZONE3 QA • Leaf 3 and 4 • Spine 2 – 3 • Atomic counters
VXLAN Per-Hop Visibility
Physical and Virtual as One
ACI Fabric provides the next generation of analytic capabilities
Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption
Integrate with workload placement or migration
Triggered Events or Queries
APIC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
APIC NEXUS 9500 and 9300 POLICY MODEL
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
High-Performance 10 Gbps/40 Gbps/100 Gbps Switch Family
FLEXIBLE FORM FACTORS CAN ENABLE VARIABLE DATA CENTER DESIGN AND SCALING
Nexus® 9300 Nexus 9500
48 1/10G SFP+ & 12 QSFP+
SC
ALA
BLE
1
GE
/10
Gbp
s/40
Gbp
s/10
0 G
E
PE
RFO
RM
AN
CE
PERFORMANCE PORTS PRICE PROGRAMMABILITY POWER
FCS Q4
2013
96 1/10G-T & 8 QSFP+ FCS Q1
2014
12-port QSFP+ GEM FCS Q1
2014
ACI Ready Leaf Line Card 48 1/10G-T & 4 QSFP+
FCS Q1
2014
ACI-ready Leaf line card 48 1/10G SFP+ & 4 QSFP+
FCS Q1
2014
Aggregation line card 36 40G QSFP+
FCS Q4
2013
C9500 8-Slot FCS Q4
2013
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Removing 40 Gb Barriers
Problem
• 40 Gb optics are a significant portion of capital expenditures (CAPEX)
• 40 Gb optics require new cabling
• Re-use existing 10 Gb MMF cabling infrastructure • Re-use patch cables (same LC connector)
Solution
• QSFP, MSA-compliant • Dual LC connector • Support for 100 m on OM3 and upto 150m on OM4 • TX/RX on two wavelengths at 20 Gb each
Cisco® 40 Gb SR-BiDi QSFP
Available end of CY13 and supported across all Cisco QSFP ports
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Software Upgrade
Q4 CY2013
Standalone mode NX-OS
APIC
Since Summer 2014
Performance and Scale Security Simplicity Open Agility Automation
and Visibility Agility Simplicity Visibility Performance Security Open
ACI Mode
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Extend ACI to local hypervisors
vSwitch
Extend ACI to WAN/DCI
Interconnect to existing DC Networks
Let me just run my network (but fix my Flooding,
Mobility, Configuration,
Troubleshooting challenges)
AVS
AVS
Extend ACI to to existing Nexus installations via a full ACI VXLAN
Switching Enabled Hypervisor ‘and’ remote ACI Physical Leaf
vSwitch
ABSOLUTELY NOT !!!
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
APIC
2K-7K Fabric
AVS AVS
Hosts App
OS
App
OS
Virtual Physical
N9K ACI
9K ACI Leaf Overlay • Full Policy & Management Model • Seamless HW GWY integration
APIC
Hosts App
OS
App
OS
Virtual Physical
ACI Policy Block
EPG Extension • Full Policy Model • Zero impact to existing fabric
2K-7K Fabric
Extend Integrate
APIC
N2K FEX
N2K Integration in ACI Fabric • Deploy N2K in ACI fabric
WAN/DCI Or DC Core
Nexus 7x00
APIC
ACI Integrated N7K/ASR9K DCI • Automated DCI integration • Large Scale Tenant Extension
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Nexus 2200 FEX Support
• Investment protection • Cost-effective 100 Mbps / 1 Gbps server access • FEX support scalability ̶ Up to 32 FEXs per Nexus® 9500 ̶ Up to 16 FEXs per Nexus 9300
Nexus 2248TP Nexus 2248TP-E
Nexus 2232PP-10Gbps Nexus 2232TM Nexus 2232TM-E Nexus 2248PQ Nexus B22-HP
Nexus B22-Dell
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Cisco ACI: Simply A Better Approach
ACI
Systems + ASICs+ Software
Choice: Hypervisor/Open Source/ Operational Models
Scale-out Performance
Systems Approach
Secure Workload Placement
Application Visibility + Health Metrics
Common Policy Model
Physical + Virtual
LOWER TCO
SIM
PLI
CIT
Y, S
CA
LE ,
SE
CU
RIT
Y
“DIY” Basic Switching
White Box Merchant Silicon
Traditional Switching
Integrated Hardware and Switching Software
Software Only
Virtual Overlay
VM-Based Policy
SDN LAN Emulation
VM Mobility
Application and End-point Aware
Scale Limitations Operational Disruptions
Dependent on Hypervisor
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
End of april 2015
2,655+ Nexus 9K and ACI Customers Globally
585+ APIC Customers
APPLICATION
COMPUTE NETWORK
CLOUD
STORAGE SECURITY
35 Ecosystem Partners
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Reduce Network Provisioning
58% Reduce
Management Costs
21% Reduce Power
and Cooling Costs
45% CAPEX
Reduction
25% Compute and
Storage Optimization
10–20%
Greater Business
Agility
Lower Capital
Expenses
Reduced Costs/
Complexity
Lower Operating
Cost
Resource Optimization
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
“It’s critical that we are able to deliver hundreds of thousands of transactions per second, so latency and 40G throughput is a number one concern. After evaluating numerous vendor solutions, Cisco's Nexus 9000 switching platform provided us with the best performance to support our evolving data centers, while protecting existing IT investments."
Bob Hammond, CTO, Millennial Media
“Symantec is an early adopter of Cisco's ACI, leveraging the technology within our own Agile Data Center. Cisco ACI brings the scalability and efficiency we need while enabling us to truly bring next generation networking capabilities to our customers.” Jon Sanchez, Director of Data Center Services, Symantec
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Centralized Provisioning Tool Program abstraction model on physical infrastructure In charge of Infrastructure bring up and operations Telemetry with health checks per applications
Automated Host Based Routing Fabric Encapsulation normalization Workload normalization (physical / virtual) Enhance applications performance
Open System with public APS (North and South) Large ecosystem allowing unified provisioning through APIC
New communications language aligned Applications Teams expectations
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
ZONE1 ZONE2 ZONE3
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
First, we need a way to identify and group together end points.
ZONE1 ZONE2 ZONE3
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
In the ACI model, we do this using the End Point Group (EPG).
EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
A collection of EPGs and the policies that define how they communicate form an Application Profile.
EPG “Web” EPG “App” EPG “DB” EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Once we have our EPGs defined, we need to create policies to determine how they communicate with each other.
Contracts
EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
A contract typically refers to one or more ‘filters’ to define specific protocols, ports or services allowed between EPGs.
Filters TCP: 80
TCP: 443
Services Chaining
EPG “ZONE1” EPG “ZONE2” EPG “ZONE3”
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4
EP1 EP2
EP3 EP4