Solutii pentruSoftware Defined Network in DataCenter · Solutii pentruSoftware Defined Network in...
Transcript of Solutii pentruSoftware Defined Network in DataCenter · Solutii pentruSoftware Defined Network in...
Solutii pentru Software Defined Network in DataCenter
George Boulescu, Consulting Systems Engineer, CCIE #15928
Cluj‐Napoca
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 2
SDN?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Manual CLI
More Efficient Manual CLI
Powerful, Bulky Management Tools
(Steampowered Saw)
What We Want
5
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Software Existing Tools
• Can be dangerous and unproven
• Excess of new tools
• Risk of choosing the tool before the
project
Power tools are still awesome
+What We're Seeing
6
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 7
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Automation is required to rapidly onboard
resources and applications
• Automation delivers consistency, accuracy,
repeatability and standardisation
• Move from silo management to unified
management
• Faster service delivery
IT
AutomationProgrammability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
OnBox OneWay TwoWay
Effectiveness
CLI
SNMP
Interpreter(EEM, TCL, Python)
Linux Containers(Puppet/Chef)
Web Access
Bash
Openflow
NetConf
API(onePK, RPC, REST)
Opflex
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Snowflake Silos MultiDomain Private Cloud
Effectiveness
Cut & Paste/Excel
Automation/Orchestration(UCS Director, ICF, OpenStack, ODL)
Puppet/Chef
Scripts
PoAPProfiles/Policy& controllers InfrastructureAPI
IaaS
PaaS
Portal Services(Prime Service Catalog)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Forward
Process
Reporting
Forward
Process
Reporting
Forward
Process
Reporting
Automation Software Application
API
Application
API API API
Device API
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Far Reaching – Add an API to nearly anything
• A software change – not hardware
• Network problems are management issues – not a lack of features/protocols
• Examples:
NXAPI (Nexus)
Netconf/YANG (ISP)
OnePK (ISR / Catalyst)
REST/JSON (industry)
Linux tools BASH, LXC, Configuration Management
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Forward
Process
Reporting
Forward
Process
Reporting
Forward
Process
Reporting
Controller
Control Protocol(OpenFlow, BGPPCEP, etc)
Application
Reporting API
Application
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Forward
Process
Forward
Process
Forward
Process
VM VM VM VM VM VM
Overlay NetworkLB
FW
NAM
VM VM VM
Network Function Virtualization (NfV)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Attractive – can run on existing networks
• Overlay and Underlay:
May not reduce the complexity – duplicating network configuration
Operational issues if not in unison
• Allows for smaller, simpler, virtual networks
• Alleviates application mobility and scale issues
• Examples:
VXLAN
NVGRE
STT
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Hybrid Model“SDN” Approach
Data Plane Data Plane
Control Plane
Data Plane…
Control Plane
Data Plane
Networks can be built with all 3 – Overlays, Programmability, and Controllers
Current Switch/Router
APIs APIs APIs
Controller Controller
Control Plane
Data Plane
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Doppler
Northstar
Nexus 3000
Nexus 9000
CSR
vASA
vIPS
TailF
OpenDaylight
COSC
Puppet Agents
ContainersUCS Director
Openstack
APIC + ACI
APIC EM
Github WAE, BW Calendaring
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Cisco’s Approach to SDNProviding Choice withAutomation and Programmability
Cisco ACI Programmable NetworkProgrammable Fabric
Modern NX-OS withenhanced NX-APIs
Automation Ecosystem
(Puppet, Chef, Ansible, etc.)
Common NX-API across N2K-N9K
Mega Scale Datacenters
DB DB
Web Web App Web App
VxLAN-BGP EVPN standard-based
3rd party controller support
Choice of Cisco Solutions
Service ProvidersPublicCloud
Turnkey integrated solution
Embedded security,
centralized management, and scale
Automated application
centric-policy model
Broad and deep ecosystem
Small and Large Enterprises,Public Sector, Private/Hybrid Cloud
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 19
Programmable Network
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Rewind: Network Administration
•
•
“Same as it ever was…”
Key Innovation: Notepad
Box Centric
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
From Servers To Networks
Shift from manuallyconfiguring every
server, OS, and virtual
machine -> Operating a
nimble set of
infrastructure at scale
1 Server Admin:Hundreds of Servers
->
1 Server Admin:
Thousands of Servers
From CLI + Bashscripts + Reactive
configuration ->
Orchestrated
configuration and
integration with
development
Open NX-OS - Automation for D.I.Yand DevOps
3rd Party DevOpsAutomation Tools
ProgrammableOpen APIs
Customized developmentand integration to
operationalize Nexus
Zero TouchProvisioning
Use existing servermanagement tools toautomate network
Object-based, model drivenAPIs (RESTful XML/JSON)
Toolset integrationinto Open NX-OS
Simplify Day-0 fabricautomation with Open
Source tools
Bootstrap network withPOAP, Ignite and PXE
OPManaging Switch with
Linux Tools
Unified managementacross the compute and
network
Open Kernel, RPMsupport, Linux network
tools
PXE
What Is NX-API
HTTP-BasedProgrammatic Access
to Nexus Platforms
(HTTP/HTTPS)
Configuration andManagement
Capabilities of the NX-
OS CLI with web-
based APIs.
Generate CLIsoutput (off box) in
XML or JSON format
• Situation:
• Nexus switches are often deployed in pairs.
• Challenge:• Configuration/parameters need to match, forexample with topologies that use FabricPath orVPC
• Solution:
• Use a Python Script to:o Call Show Commands via NXAPI
o Compare the VLANs on all the switches
o Configure missing VLANs.
o Benefits:
o Reduced time
o Improved efficiency
NXAPI & Python Use Case
Python Scripting ExampleServiceability – Reduce Time-to-Resolution
Customer
IT Engineer
ping
show ip route
show ip arp
show mac address-table
show port-channel interface
show interface
Python Scripting ExampleServiceability – Reduce Time-to-Resolution
INSIEME# detailson 192.168.208.2
Details for IP Address: 192.168.208.2
+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+
| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |
+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+
| 192.168.208.2 | 0.00% packet loss | 10.1.1.1, ospf-1 | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |
| | 0.494/3.455/15.219 ms | | | | | 0 output errors | Eth1/2(P)+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+
Enter Next IP to get details on (Press 0 to exit): 10.1.1.1
Details for IP Address: 10.1.1.1
+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+
| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |
+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+
| 10.1.1.1 | 0.00% packet loss | attached | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |
| | 0.578/0.67/0.945 ms | | | | | 0 output errors | Eth1/2(P) |
+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+
Enter Next IP to get details on (Press 0 to exit):
Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 27
Programmable Fabric
•
•
•
Need to respond faster to businessdemands
Rapid rollout of fabric infrastructure
Minimize errors and fabric downtime
DC Fabric Deployment & ManagementChallenges
Need a New Simpler Approach!Manual Provisioning models don’t work anymore!
•
•Automation based on knowledge of
underlying fabric architecture
•Designed to simplify fabricmanagement
through its various lifecycle phases
•Initial support for Cisco Nexus 9000 Familyrunning stand-alone NX-OS mode
•Delivered via VXLAN-based architecture
Cisco Nexus Fabric Manager (NFM)
Intelligent fabric lifecycle management
Fabric-wide focus – auto-configuration andmanagement of fabric
FabricManagement Lifecycle
Creation Expansion
FaultsReporting
Connection
FABRICMANAGER
1. Create a fabric
• NFM creates and manages HA-enabled fabric
2. Add a new switch to the fabric
• NFM discovers, adds, and configures new switch
3. Create a broadcast domain
• NFM creates and manages VLANs and VXLAN topology
Assign VNID fromNFM managed pool
Establish VLANport membership
Map VLAN to VNIDon target leafs
Attach VNID toVTEP
•
Focus on Fabric Management Workflows
NFM optimizes fabricmanagement workflows• Help network ops quickly support business needs
• Switch featuresmanaged based on workflows
Sample fabric management workflows
Add to broadcastdomain
Assign VLAN fromNFM managed pool
Buildbroadcastdomain
• Heavy reliance on CLI – time consuming
• This doesn’t include host-facing vPCs or VRFs
• Need to repeat many steps above per
broadcast domain
CLI-Jockey : Building a Fabric – Day 0-1Steps required to build fabric and establish connection between two devices
OSPF
Spanning
Tree
VLANs
BGP
vPCs
NTP
AAA HSRP VRFsQoS
1. Rack and Cable
• Rack all switches, note serial
numbers for future reference• Run cables between switches• Note in spreadsheet all connections• Attach management interfaces
•••••
2. Power-up and Initial Config
Power all switches, attach console
Complete initial config dialogAssign mgmt IP addr, default routeUpgrade switch software if requiredEnable L3 interfaces on spines
3. Setup Common Config
• Verify all connections using show
CDP neighbor – per switch• Configure common featuresincludingNTP, SNMP, Syslog,AAA, usernames per switch, etc.
5. Setup UnderlayRouting
• Create addressing plan for underlay
• Configure point-to-point subnetsbetween switches
• Configure loopback interfaces• Configure IGP (eg. OSPF)
6. Setup BGPRouting, EVPN
• Establish neighbor configuration
per peer, per switch• Establish EVPN configuration perpeer, per switch
7. Build Broadcast Domain
• Refer to spreadsheet from step 1
• Assign newVLAN for BD in eachleaf switch
• Add host ports toVLAN in eachapplicable leaf switch
ISLs
8. Build VXLAN/EVPNConfig
• Establish VNI/VLANmapping on
each switch• Configure VTEP on each switch• Configure EVPNon each switch• Test connectivity
Port Channels
4. Setup Initial Topology
• Refer to spreadsheet from step 1
• Configure switch-facing interfacesto L3 mode
• Configure all portchannels withinfabric via CLI – time consuming
Broadcastdomain
Switchpool
NFM
NFM : Building a Fabric – Day 0-1Steps required to build fabric and establish connection between two devices
numbers for future reference
(*optional*)
• Run cables betweeen switches
• Attach management interfaces
1. Rack and Cable
• Rack all switches, note serial
• Complete initial config dialog
• Assign mgmt IP addr, default route,
username/pw for NFM
2a. Power-upand Initial Config
• Power all switches, attach console
• Set basic boot script within POAPto assign IP_addr, default gateway,and username/password
• Power all switches
2b. Power-up andPOAP
•
•
Very simplified procedure to go fromboxes of switches to a functioning fabric
3 clicks and you have a full VXLAN/EVPN
fabric with communicating devices
•
•
Ignite (POAP) eliminates need to assigninitial IP_Addr and credentials to switches
User asks for broadcast domain, NFM
handles full VXLAN configuration
for fabric discovery
• Select all discoveredN9K switches
and set them to managedmode via
group edit
3. Discover Fabric
• Enter seed switch IP into NFM UI
✶click✶
✶click✶
and choose create new broadcast
domain
• Test connectivity
4. Setup Broadcast Domain
• Select discovered host devices
✶click✶
vCenter
RESTAPI
VTS
GUI
Programmable Fabric
Across Nexus Portfolio
Nexus 2K – 9K
AutomatedSeamless integration with Orchestrators
Overlay provisioning and DCI/WAN integration
Scalable VXLANManagementMP-BGP EVPN control plane
High performance virtual forwarding
Open and ProgrammableREST Northbound APIs
Multi-protocol and Multi-hypervisor support
Virtual Topology System (VTS)Overlay Provisioning & Management System
Flexible OverlaysPhysical and virtual overlays
Bare-metal and Virtualized workloads
Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 34
Application Centric Infrastructure
GROUP-BASED
POLICIES
ACI
CONTROLLER
Best SDN Controller
Interop 2015
Application Centric InfrastructureCisco’s SDN Solution for Data Center Networking
Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility
Integrated GBP VXLAN Overlay
ACI FABRIC
7
Momentum Continues to Grow
6,000+Nexus 9K and ACI
Customers Globally
50Ecosystem
Partners
1400+ACI
Customers
Mobile Phone
SIM Card
Identity for a Phone
UCSService Profile
Identity for a Server
UCS Service ProfileUnified Device Management
Network Policy
Storage Policy
Server Policy
Logical Provisioning of Stateless Hardware
Power of Abstraction
8
ACI Fabric:Logical Provisioning of Stateless Network
ACI Fabric
Application Profile
Identity for the Network
• Extend the principle of Cisco UCS®
Manager service profiles to the entire
fabric
• Network profile: stateless definition of
application requirements
−
−
−
−
Application tiers
Connectivity policies
Layer 4 – 7 services
XML/JSON schema
• Fully abstracted from the infrastructure
implementation
− Removes dependencies of the infrastructure
− Portable across different data center fabrics
9
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywherewithin the fabric
• Security and forwarding are fully decoupled fromany physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
Policy instantiation:Each device
dynamically instantiates the required
changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
Application policy model: Defines
the application requirements
(application network profile)
Application Policy Model and InstantiationApplication
Client
App Tier DB Tier
Storage Storage
Web Tier
10
Cisco ACI Fabric Multi-Tenancy Construct
M/LB/SPFlagsFlags/DR
EVNID == BD/VRFSource Class ID == EPG
• ACI Fabric leverages VXLAN Encapsulation to build
network overlay
•
•
VXLAN Source Group is used as a tag/label to identify the
specific end point for each application function (EPG)
Policy is enforced between an ingress or source application
tier (EPG) and an egress or destination application tier
(EPG)
• Policy can be enforced at source or destination
Coke-Tenant
Private Network 1
Private Network 2
Bridge Domain 1
Bridge Domain 2
EPG
EPG
Bridge Domain 3 EPG
Bridge Domain 4
EPG
EPG
Mapping the Configuration to the Packet
17
Apps
Infrastructure
Cisco ACI Fabric Multi-Tenancy Construct
Tenant “Coke”
Private Network 1 Private Network 2
Bridge Domain 172
Subnet 172.1.1.0/24
Subnet 172.1.2.0/24
…
Subnet 172.20.1.0/24
Bridge Domain 10
Subnet 10.1.1.0/24
Bridge Domain 100
Subnet 10.1.1.0/24
Subnet 10.1.2.0/24
…
EPG WEB
Policy “HTTP”
EPG APP
EPG DB
Policy “SQL”
EPG web
EPG app
Policy “HTTP”
EPG db
Policy “SQL”
19
Defining Application Logic Through PolicyApplications and Conversations
DBFarm
AppServersWeb
FarmUsers
•
•
Application communication can be defined as who is allowed to talk to whom.
Communication between objects on the network can be thought of as one or
two way conversations (monologue/dialogue.)
20
Defining Application Logic Through Policy
The Provider Consumer Relationship
Users
Consumes Web Services
ProvidesWeb Services
Web Farm
ConsumesApp Services
Provides App Services
AppServers
Provider consumer relationships define application connectivity in applicationterms. All objects can provide, consume, or both.
21
BuildingACI Contracts
Subject
Filter
TCP Port 80
Action
Permit
Label
WebAccess
Subjects are a combination of
A filter, an action and a label
Actions are policy options:
Permit the traffic
Block the traffic
Redirect the traffic
Log the traffic
Copy the traffic
Mark the traffic (DSCP/CoS)
Contracts define communication between source and destination EPGs.
The defined policy encompasses traffic handling, quality of service,
security monitoring and logging.
Filter | Action | Label
Contract 1
Subject 1
Subject 2
Subject 3
22
EXTERNAL
Cisco ACI Layer 4-7 Service Integration (1)
Application Profile
APP APP APP
APP DBAPPPolicyPolicy Policy
WEB WEB WEB
WEBDB DB DB
Func:Firewall
Func:Load Balancer
Service Graph: “WebGraph”
Func:Load Balancer
Service Graph:“appGraph”
Terminal: Input1 Terminal: Output1
24
Providers
ServiceProfile
Service
Graph
… …WebServer
AppServer
Cisco ACI Layer 4-7 Service Integration (2)
• Elastic service insertion architecture for
physical and virtual services
• APIC as central point of network control
with policy coordination
• Automation of service bring-up/tear-down
through programmable interface
• Supports existing operational model
when integrated with existing services
• Service enforcement assured, regardless
of endpoint location
Web TierAWeb
Server
App TierBWeb
Server
Policy Enforcement
Chain
“Security 5”
ApplicationAdmin
ServiceAdmin
begin endStage 1 ….. Stage N
inst
inst
Firewall
inst
inst
Load Balancer
……..
“Security 5” Chain Defined
25
L/BEPGAPP
EPGDBF/W
EPGWEB
VM VM VM
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
Hypervisor Integration with ACI
APIC
Application Network Profile
Relationship is formed between APIC and
Virtual Machine Manager (VMM)
ACI Fabric implements policy on Virtual
Networks by mapping Endpoints to EPGs
Endpoints in a Virtualized environment are
represented as the vNICs
VMM applies network configuration by placing
vNICs into:
Port Groups (VMWare),
VM Networks (Hyper-V)
Networks (OpenStack)
EPGs are exposed to the VMM as a 1:1
mapping to Port Groups, VM Networks or
OpenStack Networking.
27
Virtual Machines Containers
VM1
VM2
VM1
Docker1 Docker2
Full Stack Use CasesArchitecture = Choice in Cloud Management Platforms To Endpoints
vRealize
Bare Metal
Any Endpoint
Software Defined Network
Any Cloud ManagementPlatform
Infrastructure Intelligence
ForApps
Policy Based Automationfor Application Management CloudCenter
Manager
SAP App DeploymentAnd Governance
SecurePaaS
Real TimeInsights and Actions
SDN
Controller
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 49
Questions