Social Defined Networking
-
Upload
cisco-systems-india-pvt-ltd -
Category
Technology
-
view
326 -
download
4
description
Transcript of Social Defined Networking
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Software Defined Networking
Jimmy Ray Purser, PE /MSEETechWiseTV
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
SDN
Software Defined Networking
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Control Plane
Data plane
Control Plane
Data plane
Where/How to Send packet
Forwarding Packets
Control Plane
Data plane
Controller
NETops/DEVops
“…In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications…”
Source: www.opennetworking.org
Classical SDN Model
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Cisco Approach NETWORKINGSoftware Defined
Control Plane
Data plane
Control Plane
Data plane
Where/How to Send packet
Forwarding Packets
Control Plane
Data plane
Controller
NETops/DEVops
Control Plane
Control Plane
PRESERVE
WHATS
WORKING
EVOLVE FOR
EMERGING
REQUIREMENTS
• Resiliency• Scale & Security• Rich Feature Set
• Operational Simplicity
• Programmability• Application Aware
REVOLUTIONEvolution NOT
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Workflow and Intent
Programmability
Network Intelligence, Guidance
Statistics, States, Objects & Events
Applications
Services Orchestration
AnalyticsPolicyApplication + Network Security
NetworkHARVEST NETWORK INTELLIGENCE AND
SECURITY
Move to a Programmable Infrastructure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Harvest Network Intelligence through deep programmatic access to Cisco devices and software
• onePK
• Openstack
• REST
• ACI
Centralize control, configuration, policy monitoring and SDN applications
• Cisco XNC
• Open Daylight
• OpenFlow
• Puppet/Chef
• ACI
Build Scalable multi-tenant cloud infrastructures with consistent operational experience between physical and virtual
• Vxlan
• NVGRE
• ACI
Cisco ONE:Open Network Environment Strategy
Product
Cisco Confidential 7C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Introduction to Cisco Application Centric Infrastructure (ACI)
Cisco Confidential 8C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Introduces Logical Network Provisioning of Stateless Hardware
Cisco® ACI Fabric
Scale-Out Penalty-Free Overlay
App DBWeb
QoS
Filter
Filter
Service
QoS
Filter
Outside(Tenant VRF)
Cisco Application Policy Infrastructure
Controller (APIC)
Cisco Confidential 9C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Network ProfilePolicy-Based Fabric Management
• Extend the principle of Cisco UCS® Manager service profiles to the entire fabric
• Network profile: stateless definition of application requirements− Application tiers− Connectivity policies− Layer 4 – 7 services− XML/JSON schema
• Fully abstracted from the infrastructure implementation− Removes dependencies of the infrastructure− Portable across different data center fabrics
## Network Profile: Defines Application Level Metadata (Pseudo Code Example)
<Network-Profile = Production_Web> <App-Tier = Web> <Connected-To = Application_Client> <Connection-Policy = Secure_Firewall_External> <Connected-To = Application_Tier> <Connection-Policy = Secure_Firewall_Internal & High_Priority>. . . <App-Tier = DataBase> <Connected-To = Storage> <Connection-Policy = NFS_TCP & High_BW_Low_Latency>. . .
Application
The Network Profile Fully Describes the ApplicationConnectivity Requirements
Storage
App Tier DB Tier
Storage
Web Tier
Cisco Confidential 10C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Policy Model and Instantiation
All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements
Application Client
Application policy model: Definesthe application requirements (application network profile)
Policy instantiation: Each device dynamically instantiates the required changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
App Tier DB Tier
Storage Storage
Web Tier
Cisco Confidential 11C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application AwarenessApplication-Level Visibility
VXLANPer-Hop Visibility
Physical and Virtual as One
Cisco® ACI Fabric provides the next generation of analytic capabilities
Per application, tenants, and infrastructure: • Health scores• Latency• Atomic counters• Resource consumption
Integrate with workload placement or migration
Actions:No new hosts or VMsEvacuate hypervisorsRe-balance clusters
PetStore Event
PetStore Dev• Leaf 1 and 2• Spine 1 – 3• Atomic counters
PetStore Prod• Leaf 2 and 3• Spine 1 – 2• Atomic counters
PetStore QA• Leaf 3 and 4• Spine 2 – 3• Atomic counters
Triggered Events or Queries
Cisco Confidential 12C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Layer 4 - 7 Service IntegrationCentralized and Automated and Supports Existing Model
• Elastic service insertion architecture for
physical and virtual services
• Helps enable administrative separation
between application-tier policy and
service definition
• Cisco® APIC as central point of network
control with policy coordination
• Automation of service bring-up/tear-down
through programmable interface
• Supports existing operational model
when integrated with existing services
• Service enforcement assured, regardless
of endpoint location
Web Server
Web Tier A
Web Server
Web Server
App Tier B
AppServer
Chain“Security 5”
Policy Redirection
ApplicationAdmin
ServiceAdmin
Ser
vice
Gra
ph
begin endStage 1 ….. Stage N
Pro
vide
rsinst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Ser
vice
Pro
file
“Security 5” Chain Defined
Cisco Confidential 13C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Multihypervisor-Ready Fabric
Hypervisor Integration
Network Admin
Application Admin
PHYSICALSERVER
VLANVXLAN
VLANNVGRE
VLANVXLAN
VLAN
ESX Hyper-V KVM
Hypervisor Management
Cisco® ACI Fabric• Integrated gateway for VLAN,
VXLAN, and NVGRE networks from
virtual to physical
• Normalization for NVGRE, VXLAN,
and VLAN networks
• Customer not restricted by a choice
of hypervisor
• Fabric is ready for multiple
hypervisors
Microsoft
VMware
Red Hat
VMware Microsoft Red Hat
Cisco Confidential 14C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Open Ecosystem FrameworkFull-Featured, Programmable API and Data Model
Object-OrientedCentralized Automation
RESTful XML/JSON
Open Ecosystem Framework
Comprehensive Programmability and
System Access
Northbound API• Rapid integration with existing
management frameworks• OpenStack • Tenant and application aware
Southbound API• Published data model - OpFlex• Open source - Dev. Package and
OVS• Enables application portability
SystemManagement
Hypervisor Management
AutomationTools
OrchestrationFrameworks
Hewlett-Packard
CA Technologies
ArborNetworks
NetBrain
NetQoS
SolarWinds
Tivoli Software
InfoVista
XenServer
Red HatKVM
Microsoft
VMware
Puppet Labs
OpscodePython
CFEngine
CloudStack
VMware
Nebula
OpenStack
Eucalyptus
XenServerRed HatKVM
Microsoft
Cisco Confidential 15C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
A10 Networks
Palo Alto Networks
Citrix
Cisco
F5 Networks
ACI Services Extended into Any
Existing IP-Enabled Data Center
ACI Policy and Automation
Extended to Virtual Servers Through
Cisco AVS
ACI Policy and Automation Extended to Physical and Existing Virtual Servers Through Cisco Nexus®
9000 Series Switches
Cisco® ACI Enabled Layer 4 - 7 Virtual
and Physical Services (Support for Existing and New Services
Instances)
Cisco ACI It’s a Policy-Based ‘IP’ Network
Extending ACI Policy and Automation into the Existing Data Center
IP-Enabled DataCenter Network
Directory/Proxy Service Nodes
Border Leaves
Cisco APICPolicy
Controller
ACI LeafCisco Nexus9000 Series
ACI Virtual Leaf (AVS)
AVS
AVS
vSwitch
Cisco Confidential 16C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric Overview
Cisco Confidential 17C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Overview of the Cisco ACI Fabric
• Industry’s most efficient fabric− 1/10-Gbps edge – High-density 40-Gbps
spine (100-Gbps capable)− 1 million+ IPv4 and IPv6 endpoints− 64,000+ tenants− 220,000+ 1/10-Gbps hosts in a single tier 3:1
oversubscribed fabric
• Routed fabric – optimal IP forwarding− Bridging (Layer 2) and routing (Layer 3) of
VXLAN, NVGRE, and VLAN at scale− No x86 gateways – physical and virtual − Application agility – place and join without
limits in the fabric
• Full visibility into virtual and physical
• Common operations from hypervisor to computing, to fabric, to WAN
SpineInline overlay hardware database 288 x 40-Gbps portsHigher capacity and lower cost
Fabric Optimization Improved utilization1588 timing and Latency ECMP-based approaches
ScaleIntelligent caching Overlayhardware offload Improved analytics
Cisco Confidential 18C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Policy Infrastructure
Controller
Overview of the Cisco ACI Fabric
Cisco® ACI Spine Nodes
Cisco ACI Leaf Nodes
• Cisco ACI Fabric provides:− Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology
− Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, and IETF NVGRE
− Distributed Layer 3 gateway to help ensure optimal forwarding for Layers 3 and 2
− Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)
− Service insertion and redirection
− Removal of flooding requirements for IP control plane (ARP, GARP, DHCP, and Unknown Unicast)
Cisco Confidential 19C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric IP Network with an Integrated Overlay
• Cisco® ACI fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing− All end-host (tenant) traffic within the fabric is carried through the overlay
• The fabric is capable of supporting an arbitrary number of tiers and/or partial mesh if required
• Why choose an integrated overlay?− Mobility, scale, multitenancy, and integration with emerging hypervisor designs− Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)
IP fabric withintegrated overlay
Each node will be assigned loopback IP
address(es) advertised through IS-IS
IP unnumbered40-Gbps links
Cisco Confidential 20C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI FabricDecoupled Identity, Location, and Policy
• Cisco® ACI fabric decouples the tenant endpoint address - its identifier - from the location of that endpoint, which is defined by its locator, or VTEP address
• Forwarding within the fabric is between VTEPs (VXLAN tunnel endpoints) and takes advantage of an extended VXLAN header format, which makes use of the Reserved Bits in the VXLAN header
• The mapping of the internal tenant MAC or IP address to the location is performed by the VTEP, using a distributed mapping database
VTEP VTEP VTEP VTEP VTEP VTEP
PayloadIPVXLANVTEP
Cisco Confidential 21C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric Encapsulation Normalization
VXLANVNID = 5789
VXLANVNID = 11348
NVGREVSID = 7456
Any to Any
802.1QVLAN 50
NormalizedEncapsulation
Localized Encapsulation
IP Fabric Using VXLAN Tagging
PayloadIPVXLANVTEP
• All traffic within the Cisco® ACI fabric is encapsulated with an extended VXLAN header
• External VLAN, VXLAN, and NVGRE tags are mapped at ingress to an internal VXLAN tag
• Forwarding is not limited to, nor constrained within, the encapsulation type or encapsulation ‘overlay’ network
• External identifies are localized to the Leaf or Leaf port (future), allowing reuse and/or translation if required
Payload
Payload
Payload
Payload
Payload
EthIP
VXLANOuter
IP
IPNVGREOuter
IP
IP802.1Q
EthIP
EthMAC
Normalization of Ingress Encapsulation
Cisco Confidential 22C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Location-Independent ForwardingLayer 2 and Layer 3
10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35
• Cisco® ACI fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or endpoint IP stacks
• Cisco ACI fabric provides optimal forwarding for Layer 2 and Layer 3 − Fabric provides a pervasive SVI, which allows a distributed default gateway
− Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint
• IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header (elimination of flooding)
Distributed Default Gateway Directed ARP Forwarding
Cisco Confidential 23C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Scale EnhancementsInline Hardware Mapping DB - 1,000,000+ Hosts
• The forwarding table on the leaf switch is divided between local (directly attached) and global entries
• The leaf global table is a cached portion of the full global table
• If an endpoint is not found in the local cache the packet is forwarded to the default forwarding table in the spine switches (1,000,000+ entries in the spine forwarding table)
10.1.3.11 fe80::462a:60ff:fef7:8e5e10.1.3.35
Proxy A Proxy A Proxy B Proxy B
fe80::62c5:47ff:fe0a:5b1a
10.1.3.35 Leaf 310.1.3.11 Leaf 1
Leaf 4
Leaf 6fe80::8e5efe80::5b1a
10.1.3.35 Leaf 3
Proxy A*
10.1.3.11 Port 9
Global station table contains a local cache of
the fabric endpoints
Local station table contains addresses of all hosts attached directly to the leaf
Proxy station table contains addresses of all hosts attached
to the fabric
Cisco Confidential 24C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric Load BalancingFocus on the Application Response Time
• Cisco® ACI fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane (real-time measurements)− Congestion on switch-to-switch ports
(external wires)
− Congestion on internal ASIC-to-ASIC connections (internal wires)
• Fabric load-balances traffic on a “flowlet” basis− Dynamic shedding of active flows from congested to
less congested paths
• Fabric prioritizes small (and early) flowlets− Provides DC-TCP behavior without having to modify
host stacks
− Ramps up large TCP flows faster
Cisco Confidential 25C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Improved Application PerformanceFabric Efficiency
• Improve fabric capacity of the fabric (resulting in more VMs per port)• Improve application response over standard ECMP
Dynamic Load Balancing and Dynamic Flow Prioritization
00.10.20.30.40.50.60.70.80.9
1
0.12 0.21 0.20Nor
ma
lize
d A
vera
geF
low
Com
ple
tion
Tim
e
Small Flows(0,100 KB)
Medium Flows(100 KB, 5 MB)
Large Flows(5 MB, Inf)
Cisco® ACI Dynamic Load Balancing+ Flow Prioritization
Standard ECMP Network
Up to 80% improvement in application flow completion timeUp to 60% improved utilization of the fabric capacity
Cisco Confidential 26C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Telemetry TEP-to-TEP Atomic Counters
• TEP-to-TEP counters− Packet and byte counts between all leaf TEPs
− Matrix of load to and from each leaf to all other Leaves
− Always active; level of granularity is TEP to TEP
Odd Bank Even Bank
TEP-to-TEP Atomic Counters
Cisco Confidential 27C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
TelemetryAtomic Counters
Path 1 Path 2 Path 3 Path 4
Packets Sent from Leaf 2to Leaf 5
Path 1 2068
Path 2 2963
Path 3 2866
Path 4 2506
Difference
Path 1 2
Path 2 0
Path 3 -3
Path 4 0
Packets Received on Leaf 5 Sent from Leaf 2
Path 1 2066
Path 2 2963
Path 3 2869
Path 4 2506
Cisco Confidential 28C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Telemetry Fabric Latency Measurements
• Matrix of latency measurements between all leaves is tracked at each leaf• Per-port average latency and variance to up to 576 other leaves
�̶ Maximum accumulation, sum of square, and packet count
• Per-port 99% latency (recorded to up to 576 other leaves)�̶ 99% of all packets have recorded latency less than this value
• 48-bucket histogram
BoundaryClock
PTP Time Sync
External Clock Source (Pulse per Second [PPS]) on Each Supervisor in the Spine
Chassis
Cisco Confidential 29C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric64,000+ Dedicated, One-Hop Tenant Networks
• 1 million+ IPv4 and IPv6 (post-FCS) endpoints within a single fabric• 64,000+ tenants within a single fabric• 200,000+ 10-Gbps ports• Any service anywhere for physical and virtual• Normalizes encapsulations for VXLAN, VLAN, and NVGRE
�̶ No need for additional software or hardware gateways to connect between physical and virtual�̶ No latency penalty and no throughput penalty
VM VM DB
QFP
VM VM DB
QFP
VM VM DB
QFP
VM VM DB
QFP
Cisco Confidential 30C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI FabricTenants, Private Networks, Bridge Domains, EPGs, etc.
Tenant “University”
PN “Engineering” PN “Business”
Subnet 172.1.1.0/24Subnet 172.1.2.0/24
…Subnet 172.20.1.0/24
EPG Web
EPG App
Bridge Domain 172
Subnet 10.1.1.0/24
EPG DB
Bridge Domain 10
Policy “HTTP”
Policy “SQL”
Subnet 10.1.1.0/24Subnet 10.1.2.0/24
…
Bridge Domain 100
EPG App
EPG Web
EPG DB
Policy “HTTP”
Policy “SQL”
Infr
astr
uct
ure
App
s
Cisco Confidential 31C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Layer 4-7 Services Integration
Cisco Confidential 32C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Goals of Cisco APIC Service Insertion and Automation
• Configure and manage VLAN allocation for service insertion
• Configure the network to redirect traffic through service device
• Configure network and service function parameters on service device
Cisco Confidential 33C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automate Service Insertion through Cisco APIC
Endpoint group (EPG): Collection of similar endpoints identifying a particular application tier. Endpoint could represent VMs, VNICs, IP, DNS name, etc.
Application profile: Collection of EPGs and the policies that define way EPGs communicate witheach other
EXTERNAL
Application Profile
APP APP APP
APP APPDBAPPPolicyPolicy PolicyWEB WEB WEB
WEB DBDB DB DB
Cisco Confidential 34C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Policy
Consumes
Contract
DB ContractMSSQL: AcceptMySQL: Accept HTTP: Accept, Count
FilterNamed collection of L4 port ranges• HTTP = [80, 443]• MSSQL = [1433-1434]• MySQL = [3306, 25565]• DNS = [53, 953, 1337, 5353]
ActionWhat action or actions to take on packet• Accept• Service Insert• Count• Copy (future software release)
Provides
EPG - APP EPG - DB
APPDBAPPDBDB DB DBAPP APP APP
APP
Cisco Confidential 35C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Service Automation Through Device PackageDevice PackageDevice Specification<dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>
Cisco APIC – Policy Element
Device Model
Device-Specific Python Scripts
Cisco APIC Script Interface
Script Engine
APIC Node
• Service automation requires a vendor device package. It is a zip file containing− Device specification (XML file)
− Device scripts (Python)
• Cisco® APIC interfaces with the device using device Python scripts
• Cisco APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts
• Device script handlers interface with the device using its REST or CLI interface
Device Interface: REST/CLI
Service Device
Service automation requires a vendor device package. It is a zip file containingDevice specification (XML file)Device scripts (Python)
Cisco Confidential 36C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Service Function Graph
Func: Firewall
Func: SSL offload
Func: Load Balancing
Terminals TerminalsConnectors
Service Graph: “web-application”
Functions rendered on the same device
Firewall paramsPermit ip tcp * dest-ip <vip>dest-port 80Deny ip udp *
SSL paramsIpaddress <vip> port 80
Load-Balancing paramsvirtual-ip <vip> port 80 Lb-aglorithm: round-robin
Cisco Confidential 37C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Service Insertion
EXTERNAL
Application Profile
APP APP APP
APP APPDBAPPPolicyPolicy PolicyWEB WEB WEB
WEB DBDB DB DB
Func: Firewall
Func: Load Balancer
Service Graph: “WebGraph”
Func: Load Balancer
Service Graph:“appGraph”
Terminal: Input1 Terminal: Output1
Cisco Confidential 38C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Multihypervisor Integration
Cisco Confidential 39C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Interaction with Cisco ACI
Integrated Mode
• Cisco ACI fabric as a policy authority
• Encapsulations normalized and dynamically provisioned
• Integrated policy domains across physical and virtual
APP WEB DB DB
Nonintegrated Mode
• Cisco® ACI fabric as an IP-Ethernet transport
• Encapsulations manually allocated
• Separate policy domains for physical and virtual
VLAN10
VLAN10
VXLAN10000
Cisco Confidential 40C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Integration with Cisco ACIControl Channel - VMM Domains
• Relationship is formed between Cisco®
APIC and Virtual Machine Manager (VMM)
• Multiple VMMs likely on a single Cisco ACI Fabric
• Each VMM and associated virtual hosts are grouped within Cisco APIC
• Called VMM domain
• There is 1:1 relationship betweena virtual switch and VMM domain
VMware vCenter DVS
VMM Domain 1
VMware vCenter AVS
VMM Domain 2 VMM Domain 3
VMwarevSphere
VMwarevSphere
Microsoft System Center
Virtual Machine Manager 2012
MicrosoftSCVMM
Cisco Confidential 41C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Integration with Cisco ACI
• Cisco® ACI fabric implements policy on virtual networks by mapping endpoints to EPGs
• Endpoints in a virtualized environment are represented as the vNICs
• VMM applies network configuration by placement of vNICs into port groups or VM networks
• EPGs are exposed to the VMM as a 1:1 mapping to port groups or VM networks
Application Network Profile
F/W L/BEPGA
PP
APP PORT GROUP
EPG DB
DB PORT GROUP
EPG WEB
WEB PORT GROUP
VM VMVM
Cisco Confidential 42C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric – Integrated OverlayData Path - Encapsulation Normalization
VXLANVNID = 5789
VXLANVNID = 11348
NVGREVSID = 7456
Any to Any
802.1QVLAN 50
NormalizedEncapsulation
Localized Encapsulation
IP Fabric Using VXLAN Tagging
PayloadIPVXLANVTEP
• All traffic within the Cisco® ACI fabric is encapsulated with an extended VXLAN header
• External VLAN, VXLAN, and NVGRE tags are mapped at ingress to an internal VXLAN tag
• Forwarding is not limited to, nor constrained within, the encapsulation type or encapsulation ‘overlay’ network
• External identifies are localized to the Leaf or Leaf port (future), allowing reuse and/or translation if required
Payload
Payload
Payload
Payload
Payload
EthIP
VXLANOuter
IP
IPNVGREOuter
IP
IP802.1Q
EthIP
EthMAC
Normalization of Ingress Encapsulation
Cisco Confidential 43C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Integration with Cisco ACIVMM Domains and VLAN Encapsulation
• VLAN ID only gives 4000 EPGs (12 bits)
• Scale by creating pockets of 4000 EPGs
• Map EPGs to VMM domain based on scope of live migration
• Place VM anywhere
• Live migrate within VMM domain
EP
EP
EPEP
EPEP
EP
EPEP
EP
EP
EP
EPEP
VMM Domain 14000 EPGs
16 Million Virtual Networks
VMM Domain 24000 EPGs
Cisco Confidential 44C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Integration with Cisco ACIVMM Domains and VLAN Encapsulation
• VLAN ID only gives 4000 EPGs (12 bits)
• Scale by creating pockets of 4000 EPGs
• Map EPGs to VMM domain based on scope of live migration
• Place VM anywhere
• Live migrate within VMM domain
EP
EP
EP
EP EP
VNID 6032
VLAN 5
VLAN 16
16 Million Virtual Networks
VMM Domain 14000 EPGs
VMM Domain 24000 EPGs
Cisco Confidential 45C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hypervisor Integration with Cisco ACIEndpoint Discovery
• Virtual endpoints are discovered for reachability and policy purposes through 2 methods:
• Control-plane learning: − Out-of-band handshake: VMware vCenter
APIs− Inband handshake: OpFlex-enabled host
(AVS, Microsoft Hyper-V, etc.)
• Data-path learning: Distributed-switch learning
• LLDP used to resolve virtual host ID to attached port on leaf node (non-OpFlex Hosts)
Control (OpFlex)
DataPath
OpFlex Host
DVS Host
DataPath
VMM
Control(VMware vCenterAPI)
Microsoft System CenterVirtual Machine Manager 2012
VMware vSphare
Cisco Confidential 46C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
EPG Spanning VMM Domains
The fabric normalizes VLANs, which allows reuse and efficient communication across VMM domains
VXLAN is not required to address the 4000 VLAN limitations (VXLAN is supported if desired)
An EPG can be spread across multiple VMM domains (common policy across domains)
VMM Domain 1 VMM Domain 2
VMM Domain 14000 EPGs
Hosts
VMware vCenter
VMware vShield
Web EPG App EPG
VM VM VM VM
VMM Domain 24000 EPGs
Hosts
VMware vCenter
VMware vShield
DB EPG App EPG
VM VMVM VMVM
Cisco Confidential 47C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
VMware IntegrationThree Options
Application Virtual Switch (AVS)
• Encapsulations: VLAN, VXLAN
• Installation: VIB through VUM or Console
• VM discovery: OpFlex
• Software/Licenses: VMware vCenter with Enterprise+ License
vCenter + vShield
• Encapsulations: VLAN, VXLAN
• Installation: Native
• VM discovery: LLDP
• Software/Licenses: VMware vCenter with Enterprise+ License, vShield Manager with vShield License
Distributed Virtual Switch (DVS)
• Encapsulations: VLAN
• Installation: Native
• VM discovery: LLDP
• Software/Licenses: VMware vCenter with Enterprise+ License
VMware vSphere
+ VMwarevShield
VMwarevSphere
Cisco Confidential 48C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Microsoft Interaction with Cisco ACITwo Options
Integration with Microsoft SCVMM
• Policy management: Through Cisco® APIC
• Software and license: Microsoft Windows Server with HyperV and SCVMM
• VM discovery: OpFlex
• Encapsulations: VLAN and NVGRE (future)
• Plug-in installation: Manual
Microsoft System CenterVirtual Machine Manager
Integration with Microsoft Azure Pack
• Superset of Microsoft SCVMM
• Policy management: Through Cisco APIC or Microsoft Azure Pack
• Software and license: Microsoft Windows Server with HyperV, SCVMM, and Azure Pack (free)
• VM discovery: OpFlex
• Encapsulations: VLAN and NVGRE (future)
• Plug-in installation: Integrated
Windows Azure
Microsoft System CenterVirtual Machine Manager
+
Cisco Confidential 49C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
OpenStack Components
Dashboard(horizon)
Identity(keystone)
Network(Neutron)
Compute(nova) Object
(swift)Block
(cinder)
Initial Focus on Networking(Neutron)
Authenticates with
provides UI for
OpenStack
Image(glance)
Cisco Confidential 50C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Tenant
Network Security GroupNetwork:External
Router
Security Group Rule
PortSubnet
Core APILayer 3 +
External Net Extension
Security Group Extension
OpenStack Neutron Networking Model
Cisco Confidential 51C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
OpenStack Neutron Networking Model
Tenant
Bridge DomainContext(VRF)
App ProfileOutside Network
Subject
Subnet
Endpoint Group
Contract
Cisco Confidential 52C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco OpenStack Cisco ACI ModelNeutron API Mapping
OpenStack Cisco® ACI
Tenant Tenant
No Equivalent Application Profile
Network EPG + Bridge Domain
Subnet Subnet
Security Group Handled by Host
Security Group Rule Handled by Host
Router Layer 3 Context
Network: External Layer 3 Outside
Cisco Confidential 53C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Group-Based Policy in OpenStackApproved for Juno Release
https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• Messy mapping Cisco® ACI to current OpenStack component− Endpoint groups (ports + security groups)− Contracts (security groups + security group
rules)
• Goal: Introduce Cisco ACI model into OpenStack
• Starting with groups and group-based policies
Cisco Confidential 54C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Application Policy Infrastructure Controller (APIC)
Cisco Confidential 55C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Application Policy Infrastructure ControllerCentralized Automation and Fabric Management
Layer 4 - 7System
ManagementStorage
ManagementOrchestration Management
Storage SME Server SME Network SME
Security SME App. SME OS SME
Open RESTful API
Policy-Based Provisioning
Citrix
CiscoF5 EMC
Corporation
NetAppPuppet Labs
OpsCodePython
CFEngine MicrosoftXenServer
CloudStack
OpenStack
VMware Red HatKVM
• Unified point of data center network automation and management:
− Application-centric network policies
− Data model-based declarative provisioning
− Application, topology monitoring, and troubleshooting
− Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.)
− Image management (spine and leaf)
− Fabric inventory
• Single Cisco® APIC cluster supports one million+ endpoints, 200,000+ ports, and 64,000+ tenants
• Centralized access to all fabric information - GUI, CLI, and RESTful APIs
• Extensible to computing and storage management
Cisco Confidential 56C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Application Policy Infrastructure ControllerCluster Availability
Single Point of ManagementWithout a Single Point of Failure
See What’s Inside
Cisco APIC ClusterDistributed, Synchronized, and Replicated
• Applications fully use clustered andreplicated controller (N+1, N+2, etc.)
• Any node is able to service any user for any operation
• Transparent Cisco® APIC node additions and deletions
• Fully automated Cisco APIC software cluster upgrade with redundancy during upgrade
• Cluster size based on transaction rate requirements
• Cisco APIC is not in the data path
Cisco Confidential 57C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Fabric Initialization and Maintenance
• Cisco ACI fabric supports discovery, boot, inventory, and systems maintenance processes through Cisco APIC
- Fabric discovery and addressing
- Image management
- Topology validation through wiring diagram and system checks
Cisco APIC Cluster
Topology discovery through LLDP using
Cisco® ACI specific TLVs (Cisco ACI OUI)
Loopback and VTEP IP addresses allocated from “infra
VRF” through DHCP fromCisco APIC
Cisco Confidential 58C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric - Managed Objects
Root
MO• class• dn• prop1• prop2• …
dMIT
Full, Unified Description of EntitiesNo Artificial Separation of Configuration, State, or Runtime Data
Everything is an object
Objects are hierarchically organized
Class identifies object type Card, port, path, EPG, etc.
Class inheritance• An access port is a subclass of the port• A leaf node is a subclass of the fabric node
Set of attributes
IdentityStatesDescriptions
ReferencesLifecycle
Distributed managed information tree (dMIT)contains comprehensive system information• Discovered components• System configuration• Operation status, including statistics and faults
Cisco Confidential 59C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric Managed ObjectsAuthentication, Authorization, and RBAC
Access to all managed objects is authenticated and encrypted
Every object has a unique set of RBAC read and write attributes
Cisco APIC and fabric is designed to support multitenant and multi-SME operations
Local and external AAA (TACACS+, RADIUS, and LDAP) authentication and authorization
Universe
Tenant: Pepsi
App Profile
EPGs
Layer 3 Networks
Tenant: Coke
App Profile
EPGs
Layer 3 Networks
Fabric
Switch
Line Cards
Ports
Cisco Confidential 60C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
universe
Port StatsFabric1
Switch1 Switch2 Switch3
LC2LC1
Port1 PortN-1PortN
InfrastructureTenant Network Profiles, EPGs, and EPs
Network Profile Pepsi
Endpoint GroupPepsi-DB
Network Profile Coke
Shared Policies
QoS Policy
Access Policy
NetworkPepsi-Net
Layer 3 NetworkPepsiL3Net
Layer 2 NetworkPepsiL2Net
Named ref: QoS Policy
Endpoints
User: admin
Domain: all
Role: infra-admin
User: pepsi_admin
Domain: pepsi
Role: admin
User: pepsi_operations
Domain: pepsi
Roles: ep-stats, ep-events
Example: Provider AdminExample: Tenant AdminExample: Tenant Read-Only Operator
Cisco Confidential 61C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Fabric Switch OS
Purpose-Built OS for Automation and Cloud
Data Management Engine (DME)
Management Information Tree and Policy Repository
Cisco APIC
RESTful API (JSON, XML)
On-Box Scripting (Python, Puppet, and CFEngine)
Switch Node
Cisco NX-OS
Switch NodeDME Object Store
Cisco NX-OS 11.0
• Rewritten object-oriented Cisco® NX-OS
− Process isolation and restart
− Patching capability (future)
− Enables automation and scale
• Processes as managed objects
− Centralized policy and configuration
− Consistent run-time policy
• Centralized image management
− Management for all nodes
− Zero-touch installation - POAP
• Third-party extensibility
− Puppet, Chef, Python, and CFEngine
Thank you.