René Raeber, Distinguished Engineer - Cisco · Energy Cloud Data Deluge Efficiency Proliferation...

René Raeber, Distinguished Engineer

IEEE-802.1 DCB Architect, Datacenter Patent Reviewer

Application Centric Infrastructure

Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014

Agenda

3

Introduction


1. Policy Model & Controller

2. The Fabric

3. The Data Plane

4. The Control Plane

5. Overlay’s ?

Questions & Summary


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


1960 1970 1980 1990 2000

Mainframe

Client Server

SOA=> SOI =>XaaS

Minicomputer/PC

Cloud


Data Center Demands

Business Challenges

Business Process Agility

Budget Constraints

Security Threats

Regulatory Compliance

Technology Trends

Energy Efficiency Cloud Data Deluge Proliferation

of Devices


What is Security ?

The conscious or unconscious acceptance of a risk in relation of the probability of this becoming to be reality … The conscious or unconscious acceptance of a risk in a certain

time and relation of the probability of this becoming to be reality …


Focus on IT Economics


Cisco-Blue

Cisco’s Phased Datacenter Approaches

Cisco-Fusion

Crescendo

Datacenter-3.0

Andiamo

Datacenter

Business

Advantage

Nuova

Unified

Datacenter

Insieme


Traditional Datacenter Center Architectures


Data Centers Need to Evolve

Distributed

• Manual Provisioning

• Limited scaling

• Rack-wide VM mobility

Fabric Based

Cloud

• Policy-based Provisioning

• Scale Physical and Virtual/Cloud

• DC-wide/Cross-DC VM Mobility

Compute Compute Storage Storage Services Services

L2,

L3

Fabric

Cloud

Application Driven

• Service-centric Provisioning

• Flexible – Anywhere, Anytime

• Cross-cloud VM Mobility

Compute Compute Storage Storage Services Services

L2,

L3

Programmable Provisionable

Monitoring Apps

Provisioning Apps

Networking Apps

End-

User

Apps

Integrated Fabric and Cloud

World of Many Clouds


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


A NEW OPERATING MODEL IS REQUIRED

TRADITIONAL

NETWORKING

MODEL

TODAY’S

SDN MODEL

FUTURE

MODEL

Proven and Reliable

Existing Infrastructure Model

Existing Application Model

Many Data Center today

Does not remove Complexity

Disjoint Overlay and Underlay

Multiple Management Points

Radical Simplification

Centralized Automation with Application Profiles

SW Flexibility with HW Performance

Software-Based Network Virtualization


Network of Devices

Applications will drive the network behavior and NOT the opposite



Rapid Deployment of Applications onto

Networks with Scale, Security and Full Visibility

CONTROLLER POLICY MODEL NEXUS 9500 and 9300

T h e A C I B u i l d i n g B l o c k s


SPINE – LEAF ARCHITECTURE

APIC

PHYSICAL AND VIRTUAL

SCALABLE ARCHITECTURE

SINGLE POINT OF CONTROL

HYPERVISOR HYPERVISOR HYPERVISOR


Any Application, Anywhere, Any Time — Physical and Virtual Common Application Network Profile

L/B APP DB F/W

L/B

WEB

APIC

HYPERVISOR HYPERVISOR HYPERVISOR

CONNECTIVIT

Y POLICY

SECURITY

POLICIES QOS

STORAGE

AND

COMPUTE

APPLICATION

L4..7

SERVICES

SLA

QoS

Security

Load

Balancing

APP PROFILE


APPLICATION

SECURITY

INFRASTRUCTURE

Web

Tier

App

Tier

DB

Tier

Trusted

Zone DB

Tier

DMZ

External

Zone

Cloud

Application Admin

Security Admin

Network Admin

Cloud Admin

COMMON POLICY AND OPERATIONS FRAMEWORK


Application Admin

Security Admin

Network Admin

SECURITY

Trusted

Zone DB

Tier

DMZ

External Zone

APPLICATION

COMMON POOL OF RESOURCES

Cloud Admin

Cloud

COMMON POLICY AND OPERATIONS FRAMEWORK


6

Fabric will self assemble starting from

multiple IFC sources

IFC bootstrap configuration

1) IFC Cluster Configuration

2) Fabric Name

3) TEP Address space (Infra-VRF)

4) …

Leaf switch discovers attached

IFC via LLDP, requests TEP

address and boot file via DHCP

2

1

Spine switch discovers attached

Leaf via LLDP, requests TEP

address and boot file via DHCP

3

Fabric can be discovered and initialized

from multiple sources concurrently

5

IFC Cluster

7

IFC Cluster will form when members

discovery each other via Appliance

Vector (AV)

FABRIC INITIALIZATION & MAINTENANCE

APIC

All nodes in the same APIC

cluster should contain same

bootstrap information if they

are intended to form a cluster

4

APIC APIC


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


The Data and Policy Model

Application Network Profiles

ACI Fabric

(and attached SLB and FWs)

- Easier Infrastructure Changes

- Security decoupled from IP

- Policy: virtual or physical servers

- Elasticity

Controller

Identity

Location

Policy

End Points Group

End

Points

Manage the entire Data

Center

(network and network

security)

Decoupling ‘Identity’ from ‘Location’


Application Policy Infrastructure Controller “APIC”

APIC Distributed Cluster Massive Scale-Out and N+2 Redundancy

Application

Policies APIC

Unified point of fabric automation and

management including application policies

Distributed clustered software running on

x86 appliance

Central management of Fabric:

End point policies

Firmware Spine / Leaf Imaging

Inventory

Topology

Monitoring / Troubleshooting

Compute Integration

3rd party integration

GUI, CLI and RESTful APIs


END-POINTS

A compute, storage or service instance attaching to a fabric

NIC

vNIC

.

.

.

end-points [ EP ]

Things that connect to the fabric and use it to interface with other things

iFabric


A compute, storage or service instance attaching to a fabric

EP

.

.

.

A collection of end-points with

identical network behavior form a …

Things that connect to the fabric and use it to interface with other things

EP

EP … end-point group [ EPG ]

All EPs share common properties Connectivity

Security/Access control

QoS

Services

…

END-POINTS


END-POINT GROUPS EPGS

EP

.

.

.

EP

EP … end-point group [ EPG ]

All EPs share common properties Connectivity

Security/Access control

QoS

Services

…

Can flexibly map into

application tier of multi-tier app

segmentation construct (ala VLAN)

a security construct

ESX port group

…

Allows to specify rules and policies on

groups of physical or virtual end-points

without understanding of specific

identifiers and regardless of physical

location.

EPG WEB

EPG APP SERVER

policies


END POINT GROUP CONTRACTS

EP

.

.

.

EP

EP

EPG WEB

EPG APP SERVER

contract provider

consumer

Allows to specify rules and policies on

groups of physical or virtual end-points

without understanding of specific

identifiers and regardless of physical

location.

… …

…

filter action

filter action

filter action

filter action

identifies subject to

which actions will be

applied

L4 port ranges

TCP options

…

identifies actions applied to

the subject

QoS

Log

Redirect into SVC graph

…

End points in group

WEB can access end-points in group APP

SERVER according to rules specified in the

contract

defined bi-directionally in the “provider” centric way


Tenant:

Software Services

C

C

Tenant:

Middleware Services

Tenant:

Storage

Services

EPG Portal DB

EPG Tools

EPG Login

EPG Software DB

EPG Internet

EPG Cisco Internal

C C

C

C

C

C

EPG Finance DB

EPG: Softw Distr

C

C

C

EPG Softw Portal

EPG OCM

EPG Internal Login

C EPG DSX

EPG DMZ NAS

C

C

C

C

EPG Upload

EPG Download

EPG Software

EPG Internal NAS

EXAMPLE : CISCO IT SOFTWARE SERVICES DEPLOYMENT


APIC Screen shot’s


Mapping to SDN Today

Imperative Control

Ele

me

nts

C

on

tro

l Sys

tem

A

dm

in

Declarative Control

Policy Mgr

Control + Data Plane

APIC SDN Controller

Policy Mgr + Control Plane

Data Plane

OpenFlow + OVSDB No standard protocol

exists


IETF-Opflex – A flexible, extensible policy protocol

OPFLEX is a new extensible policy resolution protocol designed for declarative control of any datacenter infrastructure. OPFLEX was designed to offer:

1. Abstract policies rather than device-specific configuration

2. Flexible, extensible definition of using XML / JSON

3. Support for any device – vswitch, physical switch, network services, servers, etc.

APIC

Opflex Agent Opflex Agent Opflex Agent Opflex Agent

Opflex Proxy

Hypervisor

Switch

Opflex

Agent

Firewall

Opflex

Agent

ADC

Opflex

Agent

Legacy API

Policies

Who can talk to whom

What about

Topology control

Ops stuff

http://tools.ietf.org/html/draft-smith-opflex-00









Open Ecosystem, Open APIS

TENANT AND APPLICATION AWARE

READ / WRITE ALL FABRIC INFO

PUBLISHED DATA MODEL OPEN SOURCE

APIC

Hypervisor Management

Automation Tools

Orchestration Frameworks

System Management

Security

ASA

Industry Standard Compliant

A Platform approach to Data Centre infrastructure


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


INNOVATIONS

NEXUS 9000

PRICE POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE

PRICE COST STRUCTURE for 1G to 1/10GT and 10G to 40G migration

PERFORMANCE INDUSTRY LEADING PRICE / LINE CARD BANDWITH 1.92 Tbps per slot 100G ready

PORT DENSITY 20% HIGHER 36 Port 40 Gig Non-blocking Density

PROGRAMMABILITY JSON/XML API Linux Container for customer apps

POWER EFFICIENCY STATE OF THE ART BACKPLANE FREE DESIGN 15% greater power and cooling efficiency

MERCHANT+ ASIC APPROACH Innovation in Cisco ASICs


Migration

from Standalone to Fabric

Mode is possible

ACI

(Application Centric

Infrastructure)

Fab

ric

No change

Sta

nd

alo

ne

No change

Code adjustments

Topology

Forwarding

Enhancements

Change

Change

Data Model Policy Model

Topology

Forwarding

(Enhancements)

Major Change

Standalone Mode ‘devices’ controlled

separately Mode

Fabric Mode Central Controller Mode

Common Hardware

40 Gig (100Gig

future)

93xx

9504

9508

Nexus: 951

6

Two Software Modes


“Merchant+” strategy –

combination of merchant and custom silicon.

+


Merchant Custom

Broadcom Trident 2 Cisco “Northstar”

Cisco “Alpine”

Used in

Standalone &

Fabric Modes

Used in Fabric

Mode only

“Merchant+” strategy –

combination of merchant and custom silicon.

“Merchant +” Strategy


FLEXIBLE FORM FACTORS CAN ENABLE VARIABLE DATA CENTER DESIGN AND SCALING

Nexus® 9300 Nexus 9500

48 1/10G SFP+ & 12 QSFP+

SC

AL

AB

LE

1

GE

/10 G

bps/4

0 G

bps/1

00

GE

PE

RF

OR

MA

NC

E

PERFORMANCE PORTS PRICE PROGRAMMABILITY POWER

FCS

Q1

2014

96 1/10G-T & 8 QSFP+ FCS

Q1

2014

12-port QSFP+ GEM FCS

Q1

2014

ACI Ready Leaf Line Card

48 1/10G-T & 4 QSFP+

FCS

Q1

2014

ACI-ready Leaf line card

48 1/10G SFP+ & 4 QSFP+

FCS

Q1

2014

Aggregation line card

36 40G QSFP+

FCS

Q4

2013

C9500 8-Slot FCS

Q4

2013

Nexus 9000 switch family


Switching Portfolio Industry leading density and price / performance

48/96 port 4 slot (Mar’14) 8 slot 16 slot (Mar’14)

Height 2/3 RU 6-7 RU 13 RU 21 RU

I/O Module Slots 1 GEM 4 8 16

Fabric Capacity per System

(Tbps) NA 15 Tbps 30 Tbps 60 Tbps

Max Wire Rate

10G ports 48 576 1152 Future

Max Wire Rate

40G ports 12 144 288 576

Application Top of Rack Access

Small Aggregation

Small Aggregation,

Co-location

EoR Access or High

Density Aggregation/Spine High Density Spine

Upgradeable to Fabric ✔ ✔ ✔ ✔


FULL Application visibility A Single View of your Application in a distributed environment

Cisco Confidential

HEALTH SCORE

LATENCY

DROP COUNT

VISIBILITY

VMs

Physical

Application Delivery Controller

Firewall

39

96%

Microsecond(s)

Packets Dropped

5

25

7

3


QSFP BIDI Overview

40


Trunk Cabling

(100m)

Patch

panel

Jumper

Cable

10G Optical Link

Patch

panel

Jumper

Cable

40G BIDI OPTICS PRESERVE EXISTING 10G CABLING SIGNIFICANT TRANSCEIVER SAVINGS

$4,059 SAVINGS (LIST)

PER 40G LINK

Traditional 40G Optical Link—Complete Replacement

40G BiDi Optical Link—Reuse all 10G Cabling/Patch Panels +$2,200*

Source: Corning OM3 Cable & Patch Panel list prices, Cisco 40G BiDi list price, Competitors 40G SR4 list price

+$6,259*


Normalized Bandwidth Cost vs. Port Speed – Fixed & Modular Switches

2013 2015

2.5

3.3

1.0 1.01.31.0

6.0

4.0

1G 10G 40G 100G

1 G

bp

s

10 G

bp

s

40 G

bp

s


Normalized Bandwidth Cost vs. Port Speed – Modular Switches

2013 2015

1.4

2.0

1.0 1.0

0.70.6

1.4

1.2

1G 10G 40G 100G

1 G

bp

s

10 G

bp

s

40 G

bp

s


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


CLOS Fabric


ARRAY’S


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


Let’s Analyze a Tree Structure

Branch

Size

Decreases

The Leaves

The Branches

The Root


Spanning Tree Takes a Perfectly good Meshed Network and reduces it to a Tree !


Spanning Tree is NOT anymore Adequate !

Solutions that Keep All Link Forwarding Are More Desirable


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary


Physical Network

Why Overlay’s ?


Layer 2 Layer 3 Extra

Bits

Overhead

(Bytes)

Legacy

Network

Multipath

Merchant

silicon

Vendors Standard

VxLAN ✔ ✔ ✔ 70 ✔ ✔ Insieme,

VMWare,

Cisco

Likely

NvGRE ✔ ✔ ✖ 62 ✖ ✔ Insieme, MSFT Likely

LISP ✖ ✔ ? 70 (56) ✔ ✖ Cisco Likely

STT ✔ ✔ ✔ 74 - 92 ✔ ✖ Nicira

(VMWare)

Unlikely

Overlay Comparison


Agenda

Introduction



2. The Fabric

3. The Data Plane


5. Overlay’s ?

Questions & Summary

ACI Launch NYC


APPLICATION

CENTRIC

INFRASTRCUTURE

APPLICATIONS ARE TIGHTLY

COUPLED TO THE NETWORK

Multicast Multi-Pathing and Fast Reroute

No Legacy Layer 2 Operations

Integrated Security Policies and Mobility

Centralized Visibility and Automation

Optimized Forwarding

No Flooding

F/

W DB DB

Decouple Application from Infrastructure

APIC

Application Profile and Policy

F/W F/W F/W

STORAGE STORAGE

WEB DB APP

10,000s ACLs

Separate for Physical and VMs

Inefficient Forwarding

Excessive Protocols

Multicast Limitations

FHRP VPC STP

Default

Gateway

Default

Gateway

MAKING NETWORKS SIMPLE IS NOT TRIVIAL

Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014 58

Platform as a

Service

Application Owner

Platform as a

Service

Compute

Networking

Storage

Orchestration

Without ACI With ACI

Storage

Compute E2E

Automated

Provisioning

Se

curity

Partial

Automated

Provisioning

Evolution to Application Centric Infrastructure

Networking

*Application Policy Infrastructure Controller

Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014 59

Security Configuration

Defining and Applying Network Setup and Policy Today vs. ACI

Tenant

Application Network Profile

Translate Setup

and Policy

Define Setup

And Policy

Network and Policy

Instantiate

Define Setup

and Policy

Today ACI

Translate Policy

Instantiate

Policy

Controller

Weeks Minutes

Faster Instantiation

Better Visibility

Portability

Re-Usability

permit tcp host 72.163.6.116 host 10.102.14.116 eq www

permit tcp host 72.163.6.116 host 10.102.14.116 eq 443


permit tcp host 72.163.6.117 host 10.102.14.116 eq www



permit tcp 173.37.144.164 0.0.0.31 host 10.103.14.116 eq www

permit tcp 173.37.144.164 0.0.0.31 host 10.103.14.116 eq 443

permit tcp 173.37.144.164 0.0.0.31 host 10.103.14.116 eq 50124

Network Switch

Configuration

Load balancer

Configuration

Vlan

Routing

Trunking

VIP

Listing port

Forwarding port

http SLB protocol

Servers to forward to

Multiple Devices:

Switches, Load-Balancers, Firewalls

EPG: Web EPG: App EPG: DB C C

Net

Net

App Sec Net App Sec Net


Application Centric Infrastructure (ACI) Summary Value Case

Network Operations & Management Network Provisioning

Type of Saving %

CAPEX Savings 25%

Power Savings 45%

Space Savings 19%

Compute Optimization Storage (NAS) Optimization

12 %

Optimization 20 %

Optimization

Automation Savings Provisioning SLA Improvement

Data Center Access 38 %

Access Control List

(ACL) 43 %

Local/Global Server

Load Balancing 41 %

Incident Management

Problem Management

Event Management

4x Increase in Bandwidth (10Gbs >

40Gbs)

Data Center Network Compute Storage

* Single Fabric * Single Fabric

58% Cost Savings

Data Center Access

Access Control List

(ACL)

Local/Global Server

Load Balancing

21%

Cost Savings

Service Management


Organization Implications Cisco Infrastructure Team Journey

61

NETWORK SECURITY COMPUTE STORAGE OPERATIONS IMPLEMENTATION ARCHITECTURE DESIGN

Network

UC/Video

Infrastructure as a Service

Virtu

al T

ea

ms


ACI Application Centric Infrastructure

APIC Application Policy Infrastructure Controller

DFA Distributed Fabric Automation

VDP Virtual Station Interface Discovery Protocol

VXLAN - Virtual eXtensible Local Area Network

VXLAN Segment - VXLAN Layer 2 overlay network over which VM’s communicate

VXLAN Overlay Network - another term for VXLAN Segment

VXLAN Gateway - an entity which forwards traffic between VXLAN and non-VXLAN environments

VTEP - VXLAN Tunnel End Point - an entity which originates and/or terminates VXLAN tunnels

VLAN - Virtual Local Area Network

VM - Virtual Machine

VNI - VXLAN Network Identifier (or VXLAN Segment ID)

ACL - Access Control List

ECMP - Equal Cost Multipath

IGMP - Internet Group Management Protocol

PIM - Protocol Independent Multicast

SPB - Shortest Path Bridging

ToR - Top of Rack

TRILL - Transparent Interconnection of Lots of Links

Normative

http://www.cisco.com/go/aci

http://wwwin.cisco.com/go/aci


Note: This slide is now a Layout choice

63

Don’t forget to activate your Cisco Live Virtual

account for access to all session material,

communities, and on-demand and live

activities throughout the year. Activate your

account at the Cisco booth in the World of

Solutions or visit www.ciscolive.com.

Complete Your Online Session Evaluation

Give us your feedback and

you could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points

for each session evaluation

you complete.

Complete your session evaluation online

now (open a browser

through our wireless network to

access our portal) or visit one of

the Internet stations throughout

the Convention Center.

http://www.ciscolive.com

René Raeber, Distinguished Engineer - Cisco · Energy Cloud Data Deluge Efficiency Proliferation...

Documents

Transcript of René Raeber, Distinguished Engineer - Cisco · Energy Cloud Data Deluge Efficiency Proliferation...