Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Centric Infrastructure

625 views

Published on

Presentation from the San Diego Tech Day 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Application Centric Infrastructure

  1. 1. Application Centric Infrastructure An Introduction
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Industry Adoption 6,000+ 50+1400+ Nexus 9K and ACI Customers Globally Ecosystem Partners ACI Customers This ima NewACIEcosystemPartners
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Outpacing Our Competitors 67% 69% 65% 65%65% Cisco DC Share Record 10G+ Bookings in FQ4’15 Driving Market Share Leadership Fastest Growing DC Technology in Cisco’s History! 3M Ports 6.5 M Ports ACI VMware
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Gartner: Current State of the Market SDN Conversations Are About ACI and NSX ACI Outpacing NSX; Trending to 5:1 More Technology Partner Activity for ACI than NSX DC Proposals Include N9K Today Of Those Include ACI; Trending to 2⁄3
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. A History of Innovation Catalyst 5K - Modularity - VLANs Catalyst 6K - Integrated L2/L3 - Services MDS 9509 - VSANs - Modular OS MDS 9513 - Control Plane & Data Plane Separation Nexus 7K - Enhanced Modular OS - VPC UCS/FEX - Simplified Mgmt - Policy Based Data Model Cresendo Communications 1993 Andiamo Systems 2002 Nuova Systems 2008
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. NEXUS 9500 PRICE POWER EFFICIENCYPROGRAMMABILITYPORT DENSITYPERFORMANCE PRICE COST STRUCTURE for 1G to 1/10GT and 10G to 40G migration 50% less ASICS PERFORMANCE INDUSTRY LEADING PRICE / LINE CARD BANDWITH 1.92 Tbps per slot 100G ready PORT DENSITY 20% HIGHER Non-blocking Density PROGRAMMABILITY JSON/XML API Linux Container for customer apps POWER EFFICIENCY STATE OF THE ART BACKPLANE FREE DESIGN 15% greater power and cooling efficiency MERCHANT+ ASIC APPROACH Innovation in Cisco ASICs
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. The Latest Hardware Innovation Nexus 9500 Modular Chassis 8 Line Card Slots Max 3.84 Tbps/Slot duplex Redundant Supervisor Engines 3 or 6 Fabric Modules (behind fan trays) 3 Fan Trays, Front-to-back airflow Redundant System Controller Cards No Mid-plane for LC to FM connectivity 3000W AC Power Supplies 2+0, 2+1, 2+2 Redundancy Support up to 8 Power supports Nexus 9508 Front View Nexus 9508 Rear View Mechanical Advancements § No Mid-Plane (Better airflow, Better MTBF, Longevity) § Both a Supervisor ‘and’ a System Controller (Better Control Plane Scale) § Power footprint future proofed for 100/400G § Common Components across 4, 8 & 16 slot chassis 7
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Custom ASIC + Merchant ASIC Merchant ASIC Cisco Custom ASIC
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Modular Nexus 9500 Common Components Three Chassis Options 4, 8 and 16 Payload Slot 9504 9508 9516 Industry Most Dense 40G Devices (upto 576x40G Port) Supervisor Redundant Configuration SUP-A 4-Core, 16G Memory, 64G SSD SUP-B 6-Core, 24G Memory, 256G SSD Faster BGB Convergence / Programmability System Controller Redundant Configuration ARM 1.3 GHz Dual Core, Chassis Mgmt Power Supply N+N, N+1 Redundancy 3000W AC PSU, 92% Efficient 3000W HV AC/DC PSU, 92% Efficient
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Nexus 9000 Portfolio – Modular Nexus 9500 Platform Chassis Options 4, 8 and 16 Payload Slot Nexus 9504 Nexus 9508 Nexus 9516 Industry Most Dense 40G Devices (up to 576x40G Port) X9464TX 48p 100M/ 1/10GT & 4p 40G QSFP+ X9400 Line Cards – T2, L2 VXLAN Line rate > 200-byte packets, best price X9600 Line Cards – T2, L2 VXLAN Line rate – all packet sizes X9500 Line Cards – Cisco ASIC, L2/L3 VxLAN, Bigger Buffers Line rate – all packet sizes X9700 Line Cards – Cisco ASIC, ACI Spine X9464PX 48p 1/10G SFP+ & 4p 40G QSFP+ X9432PQ 32p 40G QSFP+ X9408PC 8p 100G CFP2 X9636PQ 36p 40G QSFP+ X9408 CFP2/CPAK 8p 100G X9564TX 48p 100M/ 1/10GT & 4p 40G QSFP+ X9564PX 48p 1/10G SFP+ & 4p 40G QSFP+ X9536PQ 36p 40G QSFP+ X9736PQ (ACI Spine) 36p 40G QSFP+ Merchant +
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Fabric Module •Backward compatible with existing Broadcom T2 based line cards Nexus 9500–Moving Forward 9504 9508 9516 32p 100G QSFP Line card •10/25/40/50/100G Merchant ASIC 9500 Series + Fabric Module •Backward compatible with existing Nexus 9300 ACI Leafs (40G uplinks) in ACI mode 32p 100G QSFP Line card •10/25/40/50/100G • Analytic Readiness Cisco ASIC + X9700-EX (NX-OS and ACI) X9400-S (NX-OS) Migrate From NX-OS to ACI Spine with Just a Software Upgrade Upgrade to 100G Infrastructure While Reusing Existing Chassis 16nm Technology 28nm Technology
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Nexus® 9372PX / 9372TX Nexus 9300 Platform Architecture Nexus 9372PX / Nexus 9372TX • 1 RU height • No GEM module • 48x 1Gb SFP / 10 Gb SFP+ ports on Nexus 9372PX • 48x 1/10 Gb Base-T ports on Nexus 9372TX • 6x 40 Gb QSFP+ ports • 1 100/1000baseT management port • 1 RS232 console port • 2 USB 2.0 ports • Front-to-back and back-to-front airflow options • 1+1 redundant power supply options • 2+1 redundant fans 48x 1/10 Gbps ports on NFE 6x 40 Gbps QSFP+ ports on ALE-2 N9K-C9372PX / N9K-C9372TX Console Port Management Port USB Ports Power supply and fan Power supply and fan 4 System Fan Trays
  13. 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Nexus 9300 – Fixed Form Factor Platforms Nexus 93128TX 96p 100M/ 1G/10GT & 8p 40G QSFP+ Form Factor 1RU 1RU 1RU 2RU Configuration 48p 10G SFP+ & fixed 6p 40G QSFP+ 48p 10G Base-T& fixed 6p 40G QSFP+ 32p 40G QSFP+ 36p 40G QSFP+ ‘Baby Spine’ Nexus 9372PX Nexus 9332PQNexus 9372TX Form Factor 2RU 2RU 3RU 2RU Configuration 48p 1G/10G SFP+ & 12p 40G QSFP+ 48p 100M/1G/10GT & 12p 40G QSFP+ 96p 1/10G & 8p 40G QSFP+ 96p 1G/10GT & 6p 40G QSFP+ Nexus 9396PX Nexus 9396TX Ideal For Top of Rack Compatible with FEX or Economical FEX Alternative Fully programmable and ACI Ready Nexus 93128TX Nexus 9336PQ Nexus 93120TX NEW! 4p 100G Uplink
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introducing: Nexus 9300-EX Series Nexus 9300-EX NEW Q2’CY16 48p 1/10GT + 6p 40/100G QSFP Nexus 93108TC-EX 48p 1/10/25G SFP + 6p 40/100G QSFP Nexus 93180YC-EX * Hardware Readiness, Check Software Roadmap for Enablement Timelines Dual personality – ACI and NX-OS mode Industry’s first native 25G capable switch Flexible port configurations – 1/10/25/40/50/100G Up to 40 MB shared buffer Native Netflow Hardware Sensor Key Features Netflow* Netflow* Better understanding of network flow Flexible network upgrades using multi-speed ports IP Storage optimized buffering Key Benefits
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. Optical Innovation: Removing 40 Gb Barriers Problem • 40 Gb optics are a significant portion of capital expenditures (CAPEX) • 40 Gb optics require new cabling • Re-use existing 10 Gb MMF cabling infrastructure • Re-use patch cables (same LC connector) Solution • QSFP, MSA-compliant • Dual LC connector • Support for 100 m on OM3 and upto 150m on OM4 • TX/RX on two wavelengths at 20 Gb each Cisco® 40 Gb SR-BiDi QSFP Supported across all Cisco QSFP ports
  16. 16. Cisco Confidential 16 APPLICATION CENTRIC INFRASTRUCTURE (ACI) RAPID DEPLOYMENT OF APPLICATIONS ONTO NETWORKS WITH SCALE, SECURITY AND FULL VISIBILITY APPLICATION CENTRIC POLICY POLICY CONTROLLERNEXUS 9000 FAMILY Embedded Stateless L4 Firewall (zero trust) Tenant Isolation Group-based Security Policy* (3rd party included) Whitelist Policy Enforcement Fabric High-Availability Centralized Management Role-Based Access Audit Logs Health Monitoring Open REST APIs ACI * Group-based security policy = includes physical and virtual, from Cisco and 3rd party, with embedded white-list security filtering. Superset of micro-segmentation Declarative Policy Model Fully Object-oriented and Open Application Centric Desired State Packaged deployment Use, re-use and decommission with audit trails
  17. 17. Cisco Confidential 17 ACI DESIGN PHILOSOPHY • System Architecture Expand Networking From Boxes To Systems • Open Source & Multi-Vendor Innovations Published to Open Source • Physical & Virtual Traditional, Virtualized, & Next Gen Non Virtualized Applications • Velocity Abstraction, Abstraction, Abstraction • Costs Best of Merchant & Custom Silicon for CAPEX Unmatched Automation for OPEX Application(s) Network Complexity Policy Relevent Information
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. Topology Spine 1 Spine 2 Leaf 1 Leaf 2 Leaf 3 Leaf 4 APIC APIC 40 – 100Gb Analytics Fabric Modules Line Cards Supervisor Server Firewall Load Balancer
  19. 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Plug and Play Environment § Single Point of Management § FYI Protocols § 4D’s of Innovation § Dynamic Load Balancing § Dynamic Packet Prioritization § Directed ARP § Distributed Gateway § Multiple Hypervisor Support Network – Centric Innovations Spine Spine Leaf Leaf Spine APIC Leaf V VXLAN LLDP IS-IS MP-BGP COOP OPFLEX VV Ingress EgressTCP flow d1 d2 V 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.3510.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 PHYSICAL SERVER VLAN VXLAN VLAN NVGRE VLAN VXLAN VLAN ESX Hyper-V KVM Cisco® ACI Fabric VMware Microsoft Red Hat
  20. 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Normal Congested Leaf 1 Leaf 2 Spine 2Spine 1 In traditional networks available today: Leaf 1 is not aware of the congestion between Spine 2 and Leaf 2 Congestion awareness across the network is essential for optimal traffic distribution
  21. 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Traditional Networking – Switching/Routing Decisions are per flow What if we could divide a flow into multiple parts – that could take independent network paths
  22. 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. H1 H2 TCP flow • State-of-the-art ECMP hashes flows (5-tuples) to path to prevent reordering TCP packets. • Flowlet switching* routes bursts of packets from the same flow independently. • No packet re-ordering Gap ≥ |d1 – d2| d1 d2 *Flowlet Switching (Kandula et al ’04)
  23. 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Dynamic Packet Prioritization Real traffic is a mix of large (elephant) and small (mice) flows. F1 F2 F3 Standard (single priority): Large flows severely impact performance (latency & loss). for small flows High Priority Dynamic Flow Prioritization: Fabric automatically gives a higher priority to small flows. Standard Priority Key Idea: Fabric detects initial few flowlets of each flow and assigns them to a high priority class. 23
  24. 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Location-Independent Forwarding Layer 2 and Layer 3 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 • Cisco® ACI fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or endpoint IP stacks • Cisco ACI fabric provides optimal forwarding for Layer 2 and Layer 3 − Fabric provides a pervasive SVI, which allows a distributed default gateway − Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint • IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header (elimination of flooding) Distributed Default Gateway Directed ARP Forwarding
  25. 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Built-in firewall capabilities § Whitelist model § All communication patterns known § Apps only communicate if allowed to § Communication patterns are documented for auditing § Visibility if packets are dropped due to out-of-policy. § L4-7 Device management through ACI is available through device packages Security – Centric Innovations
  26. 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. application An Application is more than just a VM Interconnected components VM VM … web VM VM … db Internet How do we define the network for the application? What does an application need from the Network? Application Network Profile Firewall IPS Firewall Load- Balancer QOS Contract ContractEnd-Point Group End-Point Group
  27. 27. Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Configuration of occurs based on application patterns. § Declarative approach § Any problems are visualized: from physical up to application § Multiple hypervisor types supported § Full REST based interface § Events from ACI can be triggered externally Application – Centric Innovations
  28. 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. Multihypervisor-Ready Fabric Hypervisor Integration Network Admin Application Admin PHYSICAL SERVER VLAN VXLAN VLAN NVGRE VLAN VXLAN VLAN ESX Hyper-V KVM Hypervisor Management Cisco® ACI Fabric • Integrated gateway for VLAN, VXLAN, and NVGRE networks from virtual to physical • Normalization for NVGRE, VXLAN, and VLAN networks • Customer not restricted by a choice of hypervisor • Fabric is ready for multiple hypervisors Microsoft VMware Red Hat VMware Microsoft Red Hat
  29. 29. Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. Fabric Initialization and Maintenance • Cisco ACI fabric supports discovery, boot, inventory, and systems maintenance processes through Cisco APIC - Fabric discovery and addressing - Image management - Topology validation through wiring diagram and system checks Cisco APIC Cluster Topology discovery through LLDP using Cisco® ACI specific TLVs (Cisco ACI OUI) Loopback and VTEP IP addresses allocated from “infra VRF” through DHCP from Cisco APIC
  30. 30. Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Policy Plane Application Policy Infrastructure Controller § What it is: • Centralized controller for ACI fabric • Provides GUI and RESTful programming API • HA clustered across 3+ nodes • Ships as 3x 1RU hardware appliances § What it is NOT: • NOT the control plane • NOT in the data path APIC APIC APIC
  31. 31. Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved. Tenant: Development App Profile EPGs L3 Networks Tenant: Production App Profile EPGs L3 Networks Fabric Switch Line Cards Ports • ACI Provides rich REST based API • 100% match between GUI and API calls • Python SDK (“Cobra”) • ACIToolkit • Eventing provided through web sockets • L4-L7 Device Packages • OpFlex open protocol Integration APIC APIC APIC 31
  32. 32. Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Application Policy Infrastructure Controller Centralized Automation and Fabric Management Cisco Layer 4 - 7 System Management Storage Management Orchestration Management Storage SME Server SME Network SME Security SME App. SME OS SME Open RESTful API Policy-Based Provisioning Citrix F5 EMC Corporation NetApp Puppet Labs OpsCode Python CFEngine Microsoft XenServer CloudStack OpenStack VMware Red Hat KVM • Unified point of data center network automation and management: − Application-centric network policies − Data model-based declarative provisioning − Application, topology monitoring, and troubleshooting − Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.) − Image management (spine and leaf) − Fabric inventory • Single Cisco® APIC cluster supports one million+ endpoints, 200,000+ ports, and 64,000+ tenants • Centralized access to all fabric information - GUI, CLI, and RESTful APIs • Extensible to computing and storage management
  33. 33. Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. L4-L7 Service Automation—Support for All Devices Any Device and Cluster Manager Support L4-7 Service Automation L4-7 Services ACI Services Graph L4- L7 Device Package No Device Package Service Cluster Manager Centralized L4-L7 Service Configuration and Management Full L4-L7 Service Automation (With Device Package) Large Ecosystem and Investment Protection New: Support ANY L4..7 Device New: Support for L4-L7 Cluster Managers Automated Service Insertion and Chaining Pre 1.2 No Device Package Needed NEW New Pre 1.2 ACI 1.2(1x) Virt/Sec/L4-L7
  34. 34. Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Health Scores § Atomic Counters § Endpoint tracker § Traffic heat maps § Traffic Flow Visibility § Including where packet drops occur § Spanning at multiple layers § Upcoming analytics Visibility Innovations
  35. 35. Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved. System Health Scores Statistics Per App Endpoint Troubleshooting Wizard Contract Deny Logs Real-time Heat Maps Endpoint Tracker Day 2 Tools for Simplified Operations
  36. 36. Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved. Telemetry Atomic Counters Path 1 Path 2 Path 3 Path 4 Packets Sent from Leaf 2 to Leaf 5 Path 1 2068 Path 2 2963 Path 3 2866 Path 4 2506 Difference Path 1 2 Path 2 0 Path 3 -3 Path 4 0 Packets Received on Leaf 5 Sent from Leaf 2 Path 1 2066 Path 2 2963 Path 3 2869 Path 4 2506
  37. 37. Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved. Operational Simplicity – Real-Time Heat Maps Identify hot spots in real-time Centralized Real-time Troubleshooting Know where the system is overloaded, fabric wide Fast or even automated policy driven remediation with API Customizable stats for different deployment scenarios (test/dev, production, staging etc.) Workload placement simplified 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 Traffic Map ACI 1.2(1x) Operations
  38. 38. Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved. Operational Simplicity Dramatic Simplification of Fabric Resource Management via Single Page Summary Comprehensive Management and Automation Understand easily ALL major aspects of capacity (MAC tables, Policy CAM etc.) Instantly identify capacity issues for the ENTIRE fabric with clear visuals ACI 1.2(1x) Operations
  39. 39. Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved. Application Connectivity Awareness Application-Level Visibility (as it pertains to the fabric) VXLAN Per-Hop Visibility Physical and Virtual as One Cisco® ACI Fabric provides the next generation of analytic capabilities Per application, tenants, and infrastructure: • Health scores • Latency • Atomic counters • Resource consumption Integrate with workload placement or migration Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters PetStore Event PetStore Dev • Leaf 1 and 2 • Spine 1 – 3 • Atomic counters PetStore Prod • Leaf 2 and 3 • Spine 1 – 2 • Atomic counters PetStore QA • Leaf 3 and 4 • Spine 2 – 3 • Atomic counters Triggered Events or Queries
  40. 40. Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved. Hypervisor Integration with Cisco ACI • Cisco® ACI fabric implements policy on virtual networks by mapping endpoints to EPGs • Endpoints in a virtualized environment are represented as the vNICs • VMM applies network configuration by placement of vNICs into port groups or VM networks • EPGs are exposed to the VMM as a 1:1 mapping to port groups or VM networks Application Network Profile F/W L/B EPGA PP APP PORT GROUP EPG DB DB PORT GROUP EPG WEB WEB PORT GROUP VM VMVM
  41. 41. Cisco Confidential 41© 2013-2014 Cisco and/or its affiliates. All rights reserved. End Points are physical or virtual devices which attach to the network. Identified End Points are aggregated into End Point Groups. Examples include § Virtual Machine, Physical Server § Layer 2 or 3 switch § VLAN § Subnet § Load balancer § Firewall End Points and End Point Groups
  42. 42. Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved. VM VM … VM VM … VM VM … web app db application The Outside a collection of end-points connecting to the network… VMs, physical compute, … End Point Group a set of network requirements specifying how application components communicate with each other Contract Access Control QoS Network Services rules of how application communicates to the external private or public networks network à Virtual Patch Panel ACI - Application Network Profile
  43. 43. Cisco Confidential 43© 2013-2014 Cisco and/or its affiliates. All rights reserved. Defining Application Logic Through policy 43 Current Policy Definition Policy Based on Contracts Rules Actions SLAs Security L4-7 QoS
  44. 44. Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. Defining Application Logic Through policy 44 Defining Provider/Consumer Relationships DB Farm
  45. 45. Cisco Confidential 45© 2013-2014 Cisco and/or its affiliates. All rights reserved. Defining Application Logic Through policy 45 Defining Provider/Consumer Relationships DB Farm
  46. 46. Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved. Defining Application Logic Through policy 46 Defining Provider/Consumer Relationships DB Farm
  47. 47. Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved. Defining Application Logic Through policy 47 Object Relationships § Relationships between objects/groups are defined by providing or consuming contracts. § Connectivity is ‘turned on’ by creating relationships. § Objects/groups can provide, consume, or both. Consumer provider relationships define which objects or groups can communicate and the policy requirements for that connectivity.
  48. 48. Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved. Stateless Hardware Cisco (2009): “Stateless hardware will change computing” FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS CHS A56 FAN 1 FAN 5 FAN 2 FAN 6 FAN 3 FAN 7 FAN 4 FAN 8 ! UCS 2204XP 4 3 2 1 UCS 2204XP 4 3 2 1 FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS CHS A56 FAN 1 FAN 5 FAN 2 FAN 6 FAN 3 FAN 7 FAN 4 FAN 8 ! UCS 2204XP 4 3 2 1 UCS 2204XP 4 3 2 1 FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS CHS A56 FAN 1 FAN 5 FAN 2 FAN 6 FAN 3 FAN 7 FAN 4 FAN 8 ! UCS 2204XP 4 3 2 1 UCS 2204XP 4 3 2 1 FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS FAN STATUS CHS A56 FAN 1 FAN 5 FAN 2 FAN 6 FAN 3 FAN 7 FAN 4 FAN 8 ! UCS 2204XP 4 3 2 1 UCS 2204XP 4 3 2 1 CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 STAT ID CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 STAT ID 1/10 GIGABIT ETHERNET 1/2/4/8G FIBRE CHANNEL 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16UCS E16UP 1/10 GIGABIT ETHERNET 1/2/4/8G FIBRE CHANNEL 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16UCS E16UP UCS Manager Admin creates policies and profiles Admin does not program the hardware UCS Manager configures the stateless HW
  49. 49. Cisco Confidential 49© 2013-2014 Cisco and/or its affiliates. All rights reserved. Stateless Hardware Cisco (2014): “Stateless hardware will change networking” Admin creates policies and profiles Admin does not program the hardware APIC pushes policies and profiles to HW HW programs itself! APIC
  50. 50. Cisco Confidential 50© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco ACI Layer 4 - 7 Service Integration Centralized and Automated and Supports Existing Model • Elastic service insertion architecture for physical and virtual services • Helps enable administrative separation between application-tier policy and service definition • Cisco® APIC as central point of network control with policy coordination • Automation of service bring-up/tear-down through programmable interface • Supports existing operational model when integrated with existing services • Service enforcement assured, regardless of endpoint location Web Server Web Tier A Web Server Web Server App Tier B App Server Chain “Security 5” Policy Redirection Application Admin Service Admin Service Graph begin endStage 1 ….. Stage N Providers inst inst … Firewall inst inst … Load Balancer …….. ServiceProfile “Security 5” Chain Defined
  51. 51. Cisco Confidential 51© 2013-2014 Cisco and/or its affiliates. All rights reserved. Expanding the ACI Ecosystem End-to-End Automation of the Digital Enterprise Maximize Application Value through IT Application Policy Enforcement and Visibility47+ Ecosystem Partners Fault Detection and Assurance Application Infrastructure Performance Monitoring, Dependency Mapping and Visualization Secure Platform as a Service with a Self-Service Application Portal for developers Application Policy Driven Network Service Delivery in OpenStack
  52. 52. Cisco Confidential 52© 2013-2014 Cisco and/or its affiliates. All rights reserved. Service Automation Through Device Package Device Package Device Specification <dev type= “name”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”> Cisco APIC – Policy Element Device Model Device-Specific Python Scripts Cisco APIC Script Interface Script Engine APIC Node • Service automation requires a vendor device package. It is a zip file containing − Device specification (XML file) − Device scripts (Python) • Cisco® APIC interfaces with the device using device Python scripts • Cisco APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts • Device script handlers interface with the device using its REST or CLI interface Device Interface: REST/CLI Service Device Service automation requires a vendor device package. It is a zip file containing Device specification (XML file) Device scripts (Python)
  53. 53. Cisco Confidential 53© 2013-2014 Cisco and/or its affiliates. All rights reserved. Operations Made Easy Capacity Planning, Configuration, Monitoring and Troubleshooting NX-OS Style CLI ACI Optimizer Configuration Rollback System Wide Heat Map Flexibility to Perform Any Operation Through CLI Optimize Hardware Resource Utilization Protection Against Inadvertent Configurations Real-time Visibility Into System Health Accelerating Application Deployment and Management ACI 1.2(1x) Operations
  54. 54. Cisco Confidential 54© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Software Release: APIC 1.2(1x) and NX-OS 11.2(1X) Enhanced Micro-Segmentation, New Docker Support for Containers 3. Enhanced Application Mobility and Disaster Recovery 1. Extending Cloud Automation and Security 2. Broader Ecosystem Support and Operational Flexibility Micro-segmentation for Hyper-V, Vmware vDS, Physical vRealize Automation for Private Cloud OpenStack with OpFlex Support Docker Container Plug-in (Open Source) Network Automation for Any Service Device Configuration Rollback, NX-OS Style CLI Policy Coordination Across Multi-Site ACI Toolkit ‘Multi-site App’ APP Site 1 Site 2 • Intra-EPG Isolation and Micro-segmentation (VMware vDS) • Intra- EPG Isolation and Micro-segmentation (Physical) Upcoming in Q1CY16 1.2(X) Maintenance Release) ACI 1.2(1x) Virt/Sec/L4-L7
  55. 55. Cisco Confidential 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. New Granular Segmentation For Physical + Virtual Microsoft Hyper-V, VMware VDS & Physical Workloads ACI Policy Segmentation Today Intra-Group Workload Isolation (NEW) Attribute-Based Isolation for Physical and Virtual Workloads (NEW) Basic DC Segmentation WEB APP DB PROD POD DMZ SHARED SERVICES VLAN 1 VXLAN 2 VLAN 3 Network-Centric Segmentation Service Level Segmentation FW OS ‘Linux’ Name ‘Video’ IP ‘1.1.1.x’ FW Web Tier End Point Group • Microsoft Hyper-V Virtual Switch (Q4 2015) • Virtual Distributed Switch and Bare-Metal (Q1 2016) • Cisco Application Virtual Switch VMware (Existing) • Isolate VMs and Bare-metal Workloads within same Policy Group (EPG) • Available in Maintenance Release Available Now + ACI 1.2(1x) Virt/Sec/L4-L7
  56. 56. Cisco Confidential 56© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI - Cloud Automation with vRealize ACI Policy Driven vRealize Automation Blueprints to Accelerate Application Deployment vRealize Automation vRealize Orchestrator üFabric Bring-up üInfrastructure provisioning üSecurity Domains üShared Services Plans üVirtual Private Cloud üNetworks, Subnets, SecurityTenant 1 App WebDB ESX Hypervisor Day Zero Operations Day 1/ Day 2 Operations Deploy Tenant Deploy Load Balancer Deploy App Deploy Firewall ACI 1.2(1x) Virt/Sec/L4-L7
  57. 57. Thank you.

×