Aci breakout session
-
Upload
cisco-public-sector -
Category
Technology
-
view
1.567 -
download
0
Transcript of Aci breakout session
Cisco Application Centric Infrastructure (ACI)
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
6,000+ 50 1400+ Nexus 9K and ACI Customers Globally
Ecosystem Partners
ACI Customers
NEW
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Providing Choice in Automation and Programmability
Cisco ACI Programmable Network Programmable Fabric
VxLAN-BGP EVPN standard-based
3rd party controller support (Openflow/NETCONF/OVSDB, etc.)
VTS for overlay provisioning
Nexus Fabric Manager (NFM)
L2/L3 VXLAN
Turnkey integrated solution
Embedded security, centralized management, and scale
Automated application or network centric-policy model
Broad and deep ecosystem
Modern NX-OS with enhanced NX-APIs
Automation Ecosystem (Puppet, Chef, Ansible, etc.)
Common NX-API across N2K-N9K
L2/L3 VXLAN
DB DB
Web Web App Web App
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Designed from the Ground-Up to be Application Centric
Application Velocity. Any Workload.
Anywhere.
Common Platform—Integration of Physical, Virtual,
and Cloud
Common Policy, Management and
Operations (Network, Integrated
Security, and Applications)
Systems Approach
Open APIs, Open Source,
Open Standards
Lowest Total Cost of Ownership
1 2 3 4 5 6
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
The Status Quo Variety of users: cars, trucks, ambulances, buses, pedestrians, two-wheelers, etc. No Policy: No Lights, No Lanes, No Rules, No Governance, No Enforcement, Best Effort
MeskelSquare[Source:Reddit.com]
Deploying Applications on Shared Infrastructure
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
SDN is about network automation.
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Expansion and rolling out new applications
Common Scenario 1
Monitoring existing applications
Common Scenario 2
Why does it take weeks/months/years to respond to business needs?
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
WebServers
vLAN666
L3
FW
SLBSSL
DBServers
vLAN111
vLAN222
www www www
vLAN444
AppServers
FW
SLB
app app
FW
db db
switch1(config)# switch1(config)# int eth 1/1 switch1(config)# switch mode acc switch1(config)# switch acc vlan 666 switch1(config)# no shut
router(config)# router(config)# int eth 1 router(config)# ip add 6.6.6.1 255.255.255.0 router(config)# not shut router(config)# int eth 2 router(config)# ip addr 1.1.1.1 255.255.255.0 router(config)# no shut router(config)# router eigrp 100 router(config)# network 6.6.6.0 mask 255.255.255.0 router(config)# network 1.1.1.0 mask 255.255.255.0 router(config)# ip route 0.0.0.0 0.0.0.0 6.6.6.254
switch2(config)# switch2(config)# int eth 1/2 - 3 switch2(config)# switch mode acc switch2(config)# switch acc vlan 111 switch2(config)# no shut
fw1(config)# fw1(config)# int eth 0/1 fw1(config)# nameif outside 0 fw1(config)# int eth 0/2 fw1(config)# nameif webfront 20 fw1(config)# object network webfront_vip fw1(config)# host 6.6.6.6 fw1(config)# static (webfront,outside) 1.1.1.6 fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 80 fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 443 fw1(config)# access-group outside_web in interface outside
switch3(config)# switch3(config)# int eth 1/4 - 5 switch3(config)# switch mode acc switch3(config)# switch acc vlan 222 switch3(config)# no shut
vLAN333
switch4(config)# switch4(config)# int eth 1/6 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut switch4(config)# int eth 1/7 - 9 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut
IDS/IPS
vLAN555
IDS/IPS
vLAN777
switch5(config)# switch5(config)# int eth 1/10 - 11 switch5(config)# switch mode acc switch5(config)# switch acc vlan 444 switch5(config)# no shut switch5(config)# int eth 1/11 - 15 switch5(config)# switch mode acc switch5(config)# switch acc vlan 555 switch5(config)# no shut switch5(config)# monitor session 1 source vlan 555 switch5(config)# monitor session 1 dest eth 1/16
switch6(config)# switch6(config)# int eth 1/16 - 19 switch6(config)# switch mode acc switch6(config)# switch acc vlan 777 switch6(config)# no shut switch6(config)# monitor session 1 source vlan 777 switch6(config)# monitor session 1 dest eth 1/20
slb1 (CONFIG) probe http http-probe interval 30 expect status 200 200 rserver host websrvr1 description foo web server ip address 3.3.3.1 inservice rserver host websrvr2 description foo web server ip address 3.3.3.2 inservice rserver host websrvr3 description foo web server ip address 3.3.3.3 inservice serverfarm host FOOWEBFARM probe http-probe rserver websrvr1 80 inservice rserver websrvr2 80 inservice rserver websrvr3 80 inservice crypto generate key 1024 fooyou.key crypto csr-params testparms country US state California locality San Jose organization-name foo organization-unit you common-name www.fooyou.com serial-number crisco123 crypto generate csr testparms fooyou.key crypto import ftp 12.13.14.15 anonymous fooyou.cer parameter-map type ssl SSL_PARAMETERS cipher RSA_WITH_RC4_128_MD5 version TLS1 ssl-proxy service FOOWEB_SSL key fooyou.key cert fooyou.cer class-map match-all FOOSSL_VIP_CLASS 2 match virtual-address 2.2.2.22 tcp eq https policy-map type loadbalance first-match L7-SSL-MATCH class L7_WEB sticky-serverfarm sn_cookie policy-map multi-match FOOWEB-VIP class FOOWEB_VIP_CLASS loadbalance vip inservice loadbalance policy FOOWEB-MATCH loadbalance vip icmp-reply loadbalance vip advertise active class FOOSSL_VIP_CLASS loadbalance vip inservice loadbalance policy FOOSSL-MATCH loadbalance vip icmp-reply loadbalance vip advertise active ssl-proxy server FOOWEB_SSL interface vlan 222 service-policy input FOOWEB_SSL
fw2(config)# fw2(config)# int eth 0/1 fw2(config)# nameif webfront 20 fw2(config)# int eth 0/2 fw2(config)# nameif appfront 50 fw2(config)# object network appfarm_vip fw2(config)# host 5.5.5.5 fw2(config)# nat (appfront,webfront) static 4.4.4.4 fw2(config)# access-list web_to_app permit tcp any host 4.4.4.4 eq 8081
slb2 (CONFIG) rserver host appsrvr1 description foo app server ip address 5.5.5.1 inservice rserver host appsrvr2 description foo app server ip address 5.5.5.2 inservice rserver host appsrvr3 description foo app server ip address 5.5.5.3 inservice serverfarm host FOOAPPFARM probe http-probe rserver appsrvr1 8081 inservice rserver appsrvr2 8081 inservice rserver appsrvr3 8081 inservice class-map type http loadbalance match-any FOO_APP 2 match http virtual-address 4.4.4.44 tcp eq 8081 class-map match-all FOO_APP_VIP_CLASS policy-map type loadbalance first-match FOO_APP-MATCH class FOO_APP sticky-serverfarm sn_cookie policy-map multi-match FOO_APP-VIP class FOO_APP_VIP_CLASS loadbalance vip inservice loadbalance policy FOO_APP-MATCH loadbalance vip icmp-reply loadbalance vip advertise active
fw3(config)# fw3(config)# int eth 0/1 fw3(config)# nameif appfront 70 fw3(config)# int eth 0/2 fw3(config)# nameif dbfront 90 fw3(config)# object network db_cluster fw3(config)# host 7.7.7.7 fw3(config)# nat (dbfront,appfront) static 5.5.5.50 fw3(config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Subject Matter Expert Define Policies
1
SYSTEMS APPROACH: Rapid Deployment of Applications with Scale, Security and Full Visibility
Network SME
Security SME
Application SME
APIC
2 Policies Used To Create Application Network Profile Templates
3 Automated policy configuration across the infrastructure
Life cycle management for day 1, day 2 operations
4
Physical Networking
Compute L4–L7 Services
Storage Hypervisors and Virtual Networking
Multi DC WAN and Cloud
Nexus 2K
Nexus 7K
Integrated WAN Edge
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
§ Tenant (VDC)
§ Logical separator for customer, business unit, group etc.
§ Separates traffic, admin, visibility, etc.
§ vRF (vRF)
§ vRF as we all know it to be
§ Separates routing instances, can be used as an admin separation
§ Bridge Domain (Subnet)
§ A container for subnets
§ Can be used to define L2flooding boundary/scope
§ End Point Group (VLAN)
§ Container for end-points (VM and bare-metal) requiring the same policy treatment
§ Contract (Secure inter-VLAN communication)
§ Defines communication between EPGs
§ No contract = no inter-VLAN communication (white-list default policy)
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
App DB Web
Outside (Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
ACI Fabric
Non-Blocking Penalty Free Overlay
Application Policy Infrastructure Controller
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Centralized Compliance and
Auditing
Import / Export Policy via API (Support for External Policy Engines)
Automated Services Chaining
Engineering Legal Sales HR Finance Marketing
Complete Isolation with Full Scalability and
Security
Policy Separated from Network Forwarding
Policy Engine
Enabling a Dynamic Enterprise Without Compromise
Encrypted Controller Communication
Advanced Role Based Access Control APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
PROD POD DMZ
SHARED SERVICES
Basic DC Segmentation
Flexible Segmentation
DEV
TEST
PROD
Application Lifecycle Segmentation
WEB
APP
DB
Service Level Segmentation
Network-Centric Segmentation
VLAN 1 VXLAN 2
VLAN 3
Hypervisor Agnostic Micro-segmentation For Any Virtual Workload
Quarantine Infected VMs With Guest OS = Linux
Hypervisor
Virtual Switch
Attributes Based Micro-Segments (DVS, AVS, Hyper-V Switch, KVM*)
FW
OS = Linux Name = Video-* IP = 1.1.1.x
FW
Intra-EPG Isolation + Micro-segmentation For Any Workload (Physical, Virtual)
Intra-EPG Isolation
Local switching
Micro-Segmentation
Web EPG DB EPG
DB EPG
Intra=EPG Isolation + Micro-Segmentation
DB EPG
Local switching
Intra-EPG Isolation
FW
EPG Isolation + Micro-Segmentation
Web EPG
Intra-EPG Isolation
Quarantine Infected VMs
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Quickly Detect and Mitigate Application Issues
APP APP APP APP APP APP
ACI Monitoring
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ACI Operational Simplicity
Capacity Dashboard Visibility & Troubleshooting
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Application Policy
Infrastructure Controller
ACI Spine Nodes
ACI Leaf Nodes
• ACI Fabric provides:
‒ Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology
‒ Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, IETF NVGRE
‒ Distributed Layer 3 gateway to ensure optimal forwarding for Layers 3 and 2
‒ Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)
‒ Service insertion and redirection
‒ Removal of flooding requirements for IP control plane (ARP, GARP)
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing ‒ All end-host (tenant) traffic within the fabric is carried through the overlay
• The fabric is capable of supporting an arbitrary number of tiers and/or partial mesh if required
• Why choose an integrated overlay?
‒ Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs
‒ Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)
IP fabric with integrated
overlay Each node will be
assigned loopback IP address(es) advertised
through IS-IS
IP un-numbered 40 Gb links
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
VXLAN VNID = 5789
VXLAN VNID = 11348
NVGRE TNI= 7456
Any to Any
802.1Q VLAN 50
Normalized Encapsulation
Localized Encapsulation
IP Fabric Using VXLAN Tagging
Payload IP VXLAN VTEP
• All traffic within the ACI Fabric is encapsulated with a VXLAN header • External VLAN, VXLAN, NVGRE tags are mapped at ingress to an internal VXLAN
tag • Forwarding is not limited to, nor constrained within, the encapsulation type or
encapsulation ‘overlay’ network • L2 and L3 VXLAN capabilities at every leaf switch
Payload
Payload
Payload
Payload
Payload
Eth IP VXLAN Outer
IP
IP NVGRE Outer IP
IP 802.1Q
Eth IP
Eth MAC
Normalization of Ingress Encapsulation
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
vSwitch (VMWare) vSwitch (MSFT)
Payload IP
Packet Sourced from VM attached to Ingress Port Group or directly from physical server
1
Payload IP VXLAN VTEP
vSwitch encapsulates frame and forwards to Leaf VTEP
2
If Leaf has learned the Inner IP to egress VTEP binding it will set required VTEP address and forward directly to egress Leaf
4a
Payload IP VXLAN aVTEP
Leaf maps ingress encapsulation with VXLAN and performs any required policy functions
3
Payload IP VXLAN aVTEP
Egress Leaf will swap outer VXLAN with correct egress encapsulation and perform any required policy
5
Payload IP NVGRE GRE IP
Leaf forwards frame to vSwitch or directly to physical server
6
Payload IP
Packet transmitted on vSwitch port 7
Payload IP VXLAN aVTEP If ingress iLeaf does not contain cache entry for IP to egress VTEP binding set VTEP address as anycast VTEP which will perform inline HW lookup and perform egress VTEP rewrite. No additional latency nor any decrease in throughput due to lookup
4b
VTEP VTEP
VTEP
Overview of ACI Fabric Unicast Forwarding
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35
• ACI Fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or endpoint IP stacks
• ACI Fabric provides optimal forwarding for Layer 2 and Layer 3 ‒ Fabric provides a pervasive SVI, which allows for a distributed default gateway ‒ Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint
• IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header (elimination of flooding)
Distributed Default Gateway Directed ARP Forwarding
APIC APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• The forwarding table on the Leaf switch is divided between local (directly attached) and global entries
• The Leaf global table is a cached portion of the full global table
• If an endpoint is not found in the local cache the packet is forwarded to the ‘default’ forwarding table in the spine switches (1,000,000+ entries in the spine forwarding table)
10.1.3.11 fe80::462a:60ff:fef7:8e5e 10.1.3.35
Proxy A Proxy A Proxy B Proxy B
fe80::62c5:47ff:fe0a:5b1a
10.1.3.35 Leaf 3 10.1.3.11 Leaf 1
Leaf 4 Leaf 6
fe80::8e5e fe80::5b1a
10.1.3.35 Leaf 3
Proxy A *
10.1.3.11 Port 9
Global station table contains a local cache of the fabric endpoints
Local station table contains addresses of
all hosts attached directly to the iLeaf
Proxy station table contains addresses of all hosts attached
to the fabric
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Elastic service insertion architecture for physical and virtual services
• Helps enable administrative separation between application tier policy and service definition
• APIC as central point of network control with policy coordination
• Automation of service bring-up/tear-down through programmable interface
• Supports existing operational model when integrated with existing services
• Service enforcement guaranteed, regardless of endpoint location
Web Server
App Tier A
Web Server
Web Server
App Tier B
App Server
Chain “Security 5”
Policy Redirection
Application Admin
Service Admin
Ser
vice
G
raph
begin end Stage 1 …..
Stage N
Pro
vide
rs inst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Ser
vice
Pro
file
“Security 5” Chain Defined
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Service automation requires a vendor device package. It is a zip file containing
• Device specification (XML file)
• Device scripts (Python)
• APIC interfaces with the device using device Python scripts
• APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts
• Device script handlers interface with the device using its REST or CLI interface
Device Package Device Specification <dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>
APIC – Policy Element Device Model
Device-Specific Python Scripts
APIC Script Interface
Script Engine
APIC Node
Device Interface: REST/CLI
Service Device
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
vSwitch (VMWare) vSwitch (MSFT)
vSwitch encapsulates packets associated with an EPG using assigned VLAN/VXLAN/NVGRE identifier
2
If Leaf knows the egress EPG associated with the inner packet destination it will check policy rules and implement the required function, if invoked policy bits set to indicate ingress policy invoked.
4
Based on classification Leaf populates the matching Source Group field of the eVXLAN header
3
Payload IP NVGRE GRE IP
Leaf forwards frame to vSwitch to be forwarded to VM or directly to physical server. Any egress vSwitch policy is enforced based on port group
7
Packets identified as belonging to a specific end point group (EPG) based on ingress classification (port group, physical port, IP address, VLAN)
1
Payload VNID Flags aVTEP SRC Group
If Application policy indicates that service chaining is required fabric will set destination VTEP for next hop in chain until all steps in chain are complete
5
Egress Leaf examines policy flags in eVXLAN header and if required will implement required policy function
6
Overview of ACI Fabric Policy Mechanisms
Payload VNID Flags aVTEP SRC Group
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Partner ACI Integration ETA
F5 (Big IP physical and virtual) • Service policy automation, service chaining & insertion, health score Now
Cisco ASA (5585 8.4 and ASAv 9.2.1) • Service policy automation, service chaining & insertion, health score Now
Citrix (NetScaler MPX, SDX, VPX, NetScaler 1000v)
• Service policy automation, service chaining & insertion, health score Now
Palo Alto Network • Automation of security policies and central point of mgmt through APIC - Now
A10 • SLB policy automation, service chaining & insertion, health score Now
Check Point • Automation of security policies and central point of mgmt through APIC Now
Cisco Sourcefire • Automation of IPs policies and central point of mgmt through APIC Now
Radware • Automation of ADC and DDoS policies, with central point of mgmt through APIC - Now
Cisco CSR • Automation of NAT and SGT policies (under discussion), with central point of mgmt Future
Cisco WAAS • Automation of WAN Optimization policies, with central point of mgmt through APIC Future
Fortinet • Automation of security policies and central point of mgmt through APIC Now
Kemp • Automation of ADC policies and central point of mgmt through Future
McAfee • Automation of security policies and central point of mgmt through APIC Now
Riverbed • Automation of virtual ADC & WAN Opt policies, with central point of mgmt through APIC Future
Symantec • Symantec security automation, backup and recovery, infrastructure compliance Now
Avi Networks • Virtual L4-L7 service automation , service chaining and insertion, analytics Now
CatBird • Virtual security policy automation, PCI compliance, health score Future
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Partner ACI Integration ETA
VMware • ESX, vCenter, vShield: Integrated Overlay, VLAN & VXLAN • App visibility, Mobility
Now
Canonical • OpenStack : Ubuntu • Automation, Telemetry, and Distributed L2/L3 behavior
Now
Red Hat • KVM/OpenStack: RHEL 7, RH OpenStack 5 • Automation, Telemetry, and L2/L3
Now
Microsoft • SCVMM & Azure Pack Integration: VM Networks, VLAN, NVGRE • App visibility, Mobility
Now
EMC Storage • EMC SMARTS: Fault and Performance Mgmt, Config & Compliance, Flow Monitoring
• EMC VIPER: Automated storage provisioning (File+block), Monitoring & Troubleshooting
• EMC Isilon: App policy Mgmt, network Load Balancing, Template based provisioning, Monitoring and Troubleshooting
• EMC Pivotal: Network Load Balancing, Template based provisioning
Now
Nutanix • Integration with Nutanix Prism • Integrated App visibility: Compute + Storage + Network
Now
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Partner ACI Integration ETA
Cisco Prime Infrastructure • Fabric and application monitoring • Correlate Nexus data with storage, OS, applications, and virtual and physical infrastructure for
enterprise-wide visibility.
Now
CA Technologies • CA Nolio – Support of DevOps Use cases, secure cloning of application profiles • CA Nimsoft – Fault and Performance Management integration
Now
Cisco UCS Director • Cloud Management with Unified Infrastructure management • Support for FlexPod with ACI
Now
Splunk
• Proactively monitor performance, Visualize network telemetry • Correlate ACI Application data with storage, OS, applications, and virtual and physical infrastructure for
enterprise-wide visibility.
Now
Zenoss • Unified Infrastructure Management across compute (UCS), network (ACI) and storage (NetApp, EMC) • Application Dependency Mapping, Fabric health score and application health scores
Now
IBM Smart Cloud Orchestrator
• Cloud Management with integration with ACI OpenStack plugin Now
Cisco NAM and NGA • Application Dependency mapping • Migration from existing DC networks to ACI, 100% NetFlow Visibility
Now
IBM Tivoli • Fault Management with SNMP and syslog messages Now
BMC • Cloud Management with BMC Cloud Life Cycle Management Now *
Cisco IAC • Use cases defined, CC to be completed Future
CloudStack • Cloud Management offering Now
vRA • Cloud Management offering Now
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Partner ACI Integration ETA
EMC VSPEX • Extension of ACI policies to EMC storage, with converged stack offering, Now
Hitachi Data systems • Extension of ACI policies and automation to Hitachi converged stack ETA Now
Cloudera • Acceleration and visibility of Hadoop/big data. Now
NetApp FlexPod • Integrated stack with Standalone N9K + NetApp Storage Now
VCE Vblock • Integrated stack with Vblock + N9K Now
SAP • SAP Business Warehouse on SAP HANA + ACI + VBlock • Accelerate App deployment, App visibility
Now
mapR • Acceleration and visibility of Hadoop/big data. Now
HortonWorks • Acceleration and visibility of Hadoop/big data Now
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Integrated gateway for VLAN, VXLAN, and NVGRE networks from virtual to physical
• Normalization for NVGRE, VXLAN, and VLAN networks
• Customer not restricted by a choice of hypervisor
• Fabric is ready for multi-hypervisor
Virtual Integration Network Admin
Application Admin
PHYSICAL SERVER
VLAN VXLAN
VLAN NVGRE
VLAN VXLAN
VLAN
ESX Hyper-V KVM
Hypervisor Management
ACI Fabric
APIC
APIC
VMware Microsoft
Red Hat Xen
VMware Microsoft Red Hat
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• Network policy coordination with virtualization managers
• Automatic virtual endpoint detection and policy placement
• Policies consistently implemented in virtual and physical
• Network policy stays sticky with VM
Virtual Integration Hypervisor
Management
Web App DB
Application Profile
Network Policy Coordination
Web App DB
VM Attach/Detach
Notification PortGroup
VM Mobility Notification
PortGroups VM Networks
APIC
APIC VMware Microsoft Red Hat
Xen
VMware Microsoft
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
APIC Admin
VI/Server Admin Instantiate VMs, Assign to Port Groups
L/B
EPGAPP
EPG DB
F/W
EPG WEB
Application Network Profile
Create Application Policy
Web Web Web App
HYPERVISOR HYPERVISOR
VIRTUAL DISTRIBUTED SWITCH
WEB PORT GROUP
APP PORT GROUP
DB PORT GROUP
vCenter Server
8
5
1
9 ACI Fabric
Automatically Map EPG To Port Groups
Push Policy (On Demand)
Create VDS 2
Cisco APIC and VMware vCenter Initial
Handshake
6
DB DB
7 Create Port Groups
APIC
3
Attach Hypervisor to VDS
4 Learn location of ESX Host through LLDP
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
vSphere Web Client for vSphere 6.x
ACI Plugin
for vCenter
VI Admin
Network Compute Storage
VI Admin
vCenter
Manage
Empower Virtualization Admin to Define Network Connectivity
Establish connectivity to the ACI Fabric
Create/Manage Tenants, Subnets, Application Profiles
Create ACI Port Groups
Define Security Policies
Monitor Health Scores
Available now
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Configuring a new ACI Fabric directly from vCenter
“Manage ACI Fabrics”
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Microsoft Integration with ACI Two modes of Operation
• Policy Management: Through APIC • Software / License: Windows Server with
Hyper-V, SCVMM • Encapsulations: VLAN • Plugin Installation: Manual
Integration with SCVMM
APIC
Integration with Azure Pack
APIC
• Superset of SCVMM • Policy Management: Through APIC or through
Azure Pack • Software / License: Windows Server with
Hyper-V, SCVMM, Azure Pack (free)
• Encapsulations: VLAN, NVGRE • Plugin Installation: Integrated
+
37
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
38
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
APIC Admin
SCVMM Admin Instantiate VMs, Assign to VM Networks
L/B
EPG APP
EPG DB F/W
EPG WEB
Application Network Profile
Create Application Policy
MSFT SCVMM
8
5
1
9 ACI Fabric
Automatically Map EPG To VM Networks
Push Policy
Create Virtual Switch
2
Cisco APIC and MSFT SCVMM Initial
Handshake
6
ACI Hypervisor Integration – Microsoft SCVMM
APIC
3 Attach Hypervisor to Virtual Switch
4 Learn location of HyperV Hosts
HYPERVISOR HYPERVISOR
HYPERV VIRTUAL SWITCH
7 Create VM Networks
WEB VM NETWORK
APP VM NETWORK
DB VM NETWORK
Web Web App App DB
39
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
OpenStack VMM Domain
KVM Hypervisor Operational Data
Per Hypervisor / Per Group
View
Per EP stats, Health scores,
faults
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• Unified point of data center network automation and management:
Application-centric network policies
Data model-based declarative provisioning
Application, topology monitoring, and troubleshooting
Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.)
Image management (Spine / Leaf)
Fabric inventory
• Single APIC cluster supports one million+ endpoints, 200,000+ ports, 64,000+ tenants
• Centralized access to all fabric information - GUI, CLI, and RESTful APIs
• Extensible to compute and storage management
Layer 4..7 System Management
Storage Management
Orchestration Management
Storage SME Server SME Network SME
Security SME App. SME OS SME
Open RESTful API
Policy-Based Provisioning
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
• Applications fully use clustered and replicated controller (N+1, N+2, etc.)
• Any node is able to service any user for any operation
• Seamless APIC node adds and deletes
• Fully automated APIC software cluster upgrade with redundancy during upgrade
• Cluster size driven by transaction rate requirements
• APIC is not in the control or data paths
Single Point of Management Without a Single Point of Failure
See What’s Inside
APIC Cluster Distributed, Synchronized, Replicated
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
...
API
C N
ode
API
C N
ode
API
C N
ode
API
C N
ode
...
Topology
Policy Observer
Boot
shar
d
shar
d
shar
d
shar
d shar
d
shar
d
shar
d
shar
d
ACI Fabric
3-31
Nod
e C
lust
er
à Shard is a unit of data mgmt ¡ Data is placed into shards ¡ Each shard has 3 replicas ¡ Shards are evenly distributed
Allows horizontal (scale-out) scaling. Simplifies replications scope.
Each APIC Node has all APIC functions, however, processing is evenly distributed
¡ Shard data assignments are based on pre-determined hash function.
¡ Static shard layout determines the assignment of shards to appliances
APIC Clustering
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
• APIC one time setup is via UCS console access
• Cluster configuration Fabric Name Number of controllers [1..9] Controller ID [1..9] TEP Address pool [10.0.0.1/16] Infra VLAN ID [4093]
• Out-of-band management configuration Management IP address [192.168.10.1/254] Default gateway [192.168.10.254]
• Admin user configuration Enable strong passwords (Y/N) Password
After first time setup, APIC UI is accessible via URL https://<APIC-mgmt-IP>
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
• ACI Fabric supports discovery, boot, inventory, and systems maintenance processes through the APIC
‒ Fabric discovery and addressing
‒ Image management
‒ Topology validation through wiring diagram and systems checks
APIC Cluster
Topology discovery through LLDP
Loopback and VTEP IP addresses allocated from “infra VRF” through DHCP
from APIC
APIC APIC APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
DB EPG
ISE
ACI Fabric
Corp EPG
Marketing
Engineering
Corp→DB : Allow, Redirect to ASA All Other : Drop
APIC Policy Contract
Source Destination Action
Engineering Any Allow
Any Any Deny [SGT 333]
SXP
1. Corporate users on traditional Nexus 7000 in Corp EPG get assigned SGT values
by ISE
2. ASA learns SGT mappings OOB through
SXP
3. Coarse filtering: ACI Policy Contract allows all traffic from
corporate network to database, redirects to ASA
4. Fine filtering: ASA permits only Engineering to access database from corporate
based on SGT
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Network is Simpler
Policy Model= Network
Constructs NX-OS CLI Standard Designs
Troubleshooting & Visiblity
Zero Touch Provisioning (LLDP, IS-IS)
CLOS Leaf-Spine Architecture
Automated Forwarding Plane (VXLAN)
Achieve faster infrastructure agility
EPG = VLAN, VXLAN
Bridge Domain, VRF
1:1 Parity between CLI, GUI and APIs
Stretched Fabric
Multi-pod, Multi-site
(Future directions)
Ping, Traceroute, Atomic Counters, SPAN
Outside
Tenant “Common”
Private Network (VRF)
Bridge Domain (Hardware Proxy)
SITE 1
Interconnect
SITE 2
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
APIC
ACI Toolkit
NX-OS like CLI
Custom Python Scripts
ACI toolkit
Now available @ http://datacenter.github.io/acitoolkit/
Simple toolkit built on top of APIC API
Scripts built with the toolkit are easy to read
Focused primarily on configuration
Preserves the ACI concepts
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
NX-API
52 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UCS Director: Multi-vendor Support Agility and Simplicity for Virtualized and Bare-Metal IT Services
Centralized Lifecycle Management of Physical and Virtualization Infrastructure
Virtual Infrastructure
IT Admins IT Operations End Users
Physical Infrastructure UCS
Nexus
Open API for Integration
Self Service Portal
OS, VM, App Deployment
Admin / End User Console
Policy Manager
Service Request Approvals
Resource Pools Consumption Cost Model
Metering / Utilization
Cisco ASAv
ISE
Cisco VACS
53 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CliQr
54 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vRealize Automation
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
10-20% Compute and
Storage Optimization
58% Reduce Network
Provisioning
21% Reduce
Management Costs
45% Reduce
Power and Cooling Costs
25% CAPEX
Reduction
“Cisco’s open standards approach makes ACI even stronger. We conducted testing on ACI … it fully delivered everything we expected, and proved to be quite stable and mature.”
Nik Weidenbacher Principal Engineer, SunGard
“Cisco ACI is an open, future-proofed data center architecture that can continue to grow as we enhance client services.”
Chuck Crane Network and Security Architect, Axciom
“This will enable Telstra to deliver service agility, security and performance that our customers expect from an enterprise grade cloud.”
Erez Yarkoni Executive Director, Telstra
Greater Business Agility
Lower Capital Expenses
Reduced Costs/ Complexity
Lower Operating Cost
Resource Optimization
Nexus 9000 and ACI Delivering Business Outcomes
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
APIC
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Architecture Design Implementation Operation
PEOPLE – PROCESS - TOOLS
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Two Big Questions
58
“Is ACI a Closed System?” “Do I need to replace all of my existing infrastructure to begin leveraging ACI?”
ABSOLUTELY NOT !!! Let’s see WHY and HOW …
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
APIC APIC
2K-7K Fabric
AVS AVS
Hosts App
OS
App
OS
Virtual Physical
N9K ACI
9K
APIC
Hosts App
OS
App
OS
Virtual Physical
ACI Policy Engine
N2K FEX
WAN/DCI Or DC Core
APIC
ACI Leaf Overlay • Full Policy & Management Model • Seamless HW GWY integration
ACI Policy Engine • Full Policy Model • Zero impact to existing fabric • Appliance style addition to fabric
N2K Integration in ACI Fabric • Deploy N2K in ACI fabric
ACI Integrated DCI • Automated DCI integration • Large Scale Tenant Extension
2K-7K Fabric
Extend Integrate
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
• WAN and L3 DCI Connection L3 connection between ACI and external WAN router Provide WAN/Internet connection for tenant. L3 DCI to remote Data Center
• L2 DCI L2 handoff to external platform(N7K, ASR9K, ASR1K, etc.) External platform provide L2 DCI solution with OTV or VPLS
• Connect to existing network to ACI Brownfield migration Connect existing workload to ACI fabric
Web
WAN
WAN L3 DCI L2DCI
VLAN
ACI Fabric
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Backbone
vPC
vPC
vPC
• Connect non-ACI networks to ACI leaf nodes • Connect at L2 with VLAN trunks (802.1Q) • Objective: Map VLANs to EPGs, extend policy model to non-ACI networks
Map VLAN to internal EPG
L2 outside from border leaf
VLAN Trunking
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
• Border Leaf
• Any leaf can be border leaf • No limit for number of border leaf in the fabric • Provide connectivity and policy enforcement for outside
traffic
• Routing Protocols • Static routes • OSPF, IBGP, eBGP, EIGRP and IPv6 • BGP-EVPN in the future (GOLF)
• Choice of Interfaces • L3 interfaces • L3 sub-interface. VRF-lite for multi-tenancy • SVI Interface. L2 and L3 outside connection on same
port
ACI Fabric
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Single APIC Cluster/Single Domain Multiple APIC Clusters/Multiple Domains
Site 1 Site 2 ACI Fabric
Stretched Fabric
ACI Fabric 2 ACI Fabric 1
Dual-Fabric Connected (L2 and L3 Extension)
DB Web App L2/L3
POD ‘A’ POD ‘B’
Web/App DB Web/App APIC Cluster
MP-BGP - EVPN
Multi-POD (Q2CY16)
IP Network Site ‘A’ Site ‘B’
MP-BGP - EVPN
Web DB App
Multi-Site (Future)
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
ACI Stretched Fabric Site 2
Site 3
2x40G or 4x40G
Transit Leaf
Site 1
§ Transit leafs in all sites connect to the local and remote spines
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
ACI Multi-POD Solution Overview
POD ‘A’
IP Transport
Single APIC Cluster
§ Multiple ACI PODs connected by an IP Inter-POD L3 network, each POD consists of leaf and spine nodes
§ Managed by a single APIC Cluster
§ Single Management and Policy Domain § End-to-end policy enforcement § Forwarding control plane (IS-IS, COOP)
fault isolation
POD ‘n’
Inter-POD Network
…
IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Multi-Site ACI Fabric
IP Network Site ‘A’ Site ‘B’
mBGP - EVPN
Web DB
App
• Host Level Reachability Advertised between Fabrics via BGP
• Transit network is IP network • Host Routes do not need to be advertised into transit
network • Policy Context is carried with packets as they traverse
the transit IP Network
• Support advanced ACI forwarding features(Distributed GW, Spine proxy, ARP direct forwarding, etc.)
• Support multiple Fabrics • Great scalability(inter-fabric traffic doesn’t need
to traverse border leaf)
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
ACI Integration with WAN at Scale Project GOLF : Supported Topology and Design
IP Network IP Network
Directly Connected WAN Routers Remote WAN Routers Multi-POD + GOLF
MP-BGP EVPN
MP-BGP EVPN
MP-BGP EVPN
C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
§ Policy Based Routing § Permit Logging § Security (DoD, CC, FIPS) § Authentication of endpoint before
Admission into EPG § Copy Service § 50 vCenter per Fabric § Tetration § Multi-Pod § Project GOLF § FCoE NPV
NOTE: Future and beyond are in planning stage
Next Future
§ Multi-Site § Security (TrustSec) § AzureStack § IPAM Integration § Converged ACI Stack § MACSec § 2-Factor Authentication § 10G Breakout § Hot and Cold Patching § QinQ
Thank you.