Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco ACI Introduction

12,869 views

Published on

Cisco ACI introduction.

Published in: Technology
  • Be the first to comment

Cisco ACI Introduction

  1. 1. Application Centric Infrastructure V1.2 – May 2015 Datacenter SDN Technical Introduction Christophe Compain (ccompain@cisco.om) Technical Solutions Architect EMEAR N9K/ACI Team
  2. 2. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Network « Application » P P
  3. 3. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 VLAN Subnets Bridging Routage Adresses IP HSRP/VRRP VRFs Network Infrastructure Language WEB APP DB « Application » Language DEVOPS WEB2.0 BIG DATA CONTAINERs 10/40/100G Control/Data Plane Pre provisioning model Overlay NFv Agile model Cloud PaaS SaaS
  4. 4. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Need agility, responsiveness and performance Intranet Others App (ZONE2) DB (ZONE 3) Time & Labor Extranet (CLOUD) (SaaS) Intranet Web front-end (ZONE1) AD (ZONE SHARED) SSO (ZONE SHARED) VMs « X » Containers + MEIOS Bare Metals App. Tier Bare MetalsVMs KVM PHYSICAL PHYSICAL P/V VIRTUAL PHYSICAL
  5. 5. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Intranet Autres App DB Time & Labor Extranet Intranet WebFarm AD SSO 1 2 3 4 5 6 7 8 9 10 Latency needs L4-L7 Requirements VLAN Space L2 or L3 Connections IPv4 or IPv6 Multicast needs Workload mobility Requirements Virtual & Physical communicat ion Subnet Overprovisioning Future Growth •  VLAN •  IP Address •  Subnets •  Firewalls •  Quality of Service •  Load Balancer •  Access Lists Network constructs are tightly coupled dictating physical and logical topology.
  6. 6. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Network « Application » Complexity P P
  7. 7. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 OF Network « Application » Complexity Network virtualization P P « Application » Modeling « Application » telemetry
  8. 8. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Taxonomy and principal building blocks Centralized Control-Plane PROGRAMMABILITY OVERLAY NFv •  Topology •  HA & Perf. •  Protocols •  Virtual/Physical •  Use cases •  Devices or Systems oriented •  API and SDK •  IP Mobility •  Services •  Standard (VXLAN) •  FW/LB and others •  Compatibility •  Support SDN – V0 -  Custom. Routing -  High scale infra. management SDN – V1 -  Network virtualization -  NFv / service chaining SDN – V2 -  End to end provisioning
  9. 9. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Network « Application » P P « Application » Modeling
  10. 10. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Policy based approach VM attributes @ ZONE2 VM VM ZONE1 VM VM ZONE3 Network VM attributes - IP - Port - DNS - IP - Port P P
  11. 11. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Traditional network Application Centric Infrastructure Vlan 10 10.0.0.0/24 Vlan 20 20.0.0.0/24 Vlan 30 30.0.0.0/24 Vlan 40 40.0.0.0/24 « Physical » segmentation Security and ACL segmentation Subnet/VLAN segmentation « Extended » subnet « Non extended » subnet 10.0.0.0/24 20.0.0.0/24 30.0.0.0/24 40.0.0.0/24 EPG-10 EPG-10 EPG-10 EPG-10 EPG-A EPG-B Decoupling « apps » from network constructs Policy between apps/ components … « Tier » segmentation IP plan is independant of mobility facility and apps belonging
  12. 12. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Attributs VM -  Security -  Load balancing -  Monitoring -  Control @ ZONE2 VM VM C C C ZONE1 VM VM ZONE3 Network -  Security -  Load balancing -  Monitoring -  Control -  Security -  Load balancing -  Monitoring -  Control Attributs VM - IP - Port - DNS - IP - Port P P
  13. 13. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Attributs VM -  Security -  Load balancing -  Monitoring -  Control @ ZONE2 VM VM C C C ZONE1 VM VM ZONE3 Network -  Security -  Load balancing -  Monitoring -  Control -  Security -  Load balancing -  Monitoring -  Control Attributs VM - IP - Port - DNS - IP - Port P P Rather than looking at the applications as individual network end-points, policy is driven viewing the application as a whole; the grouping of end-points and connectivity policies that makes up an application or service.
  14. 14. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 P P @ ZONE2 VM VM ZONE1 VM VM ZONE3 Network
  15. 15. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Intranet App DB Time & Labor Extranet Intranet WebFarm AD SSO
  16. 16. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Intranet App DB Time & Labor Extranet Intranet WebFarm AD SSO Database ZONE3 Time &Labor ZONE2ext Expenses ZONE2 SSO ZONE SHARED2 Web Front-End ZONE1 INTRANET EXTRANET Active Directory ZONE SHARED1
  17. 17. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Intranet App DB Time & Labor Extranet Intranet WebFarm AD SSO Database ZONE3 Time &Labor ZONE2ext Expenses ZONE2 SSO ZONE SHARED2 Web Front-End ZONE1 INTRANET EXTRANET Active Directory ZONE SHARED1 Contract Contract Contract Contract Contract Contract
  18. 18. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Intranet App DB Time & Labor Extranet Intranet WebFarm AD SSO Database ZONE3 Time &Labor ZONE2ext Expenses ZONE2 SSO ZONE SHARED2 Web Front-End ZONE1 INTRANET EXTRANET Active Directory ZONE SHARED1 Contract Contract Contract Contract Contract Contract
  19. 19. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Programmability Intranet Autres App DB Time & Labor Extranet Intranet WebFarm AD SSO Database Time & Labor Dépenses SSO Frontal Web INTRANET EXTRANET Active Directory Contract Contract Contract Contract C ontract Contract Contract P P
  20. 20. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 P P Management Platforms Resources Manager Automation Framework XML (or json) <fvAp name=”myApp"> <fvAEPg name=”ZONE1"> <fvRsBd tnFvBDName=”BD-1" /> <fvRsProv tnVzBrCPName=”Contract1" /> <fvRsCons tnVzBrCPName=”Contract2" /> <fvRsDomAtt tDn="uni/vmmp-VMware/dom-datacenter" /> </fvAEPg> </fvAp> REST API POST http://<APIC-IP>/api/mo/uni.xml
  21. 21. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Programmability Intranet Autres App DB Time & Labor Extranet Intranet WebFarm AD SSO Database Time & Labor Dépenses SSO Frontal Web INTRANET EXTRANET Active Directory Contract Contract Contract Contract C ontract Contract Contract P P UCS (Q1CY16) Storage systems (Post FCS) OPEN SOURCE Open source OpFlex agent is available to anyone OPEN ECOSYSTEM Broad, growing support including from hypervisor, network, and L4-7 vendors OPEN STANDARD
  22. 22. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 •  Distributed control system based on a declarative policy information model. Key components: -  logically centralized policy repository (PR) -  distributed policy elements (PE) -  OpFlex Control protocol runs between PRs and PE •  Communicate policy, events, statistics, and faults •  JSON-XML (JSON-RFC 1.0, over TCP) or OpFlex-Binary-RPC as transport protocol •  DevOps inspired – Builds on “Promise Theory” (similar to Puppet, CFEngine): -  PEs act as autonomous agents (pulling policy from PRs) -  PEs retrieve an intent/a policy from the PR; In response “promise” to the PR to implement the intent -  Policy is “uncertain”, or is considered to have a lifetime, hence is refreshed at regular intervals (defined by the “policy refresh rate”) -  No hierarchy assumed (“peering-style” protocol) •  IETF Draft http://tools.ietf.org/html/draft-smith-opflex-00 •  Opflex for ACI, OpFlex agent created for Open vSwitch, group policy API developped in OpenDayLight, third party OpFlex agent for LB/FW … …
  23. 23. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 The policy endpoint interprets the policy and maps it to its hardware capabilities Policy Repository A policy authority (e.g. APIC, OpenDaylight Controller) manages a logical model of desired state Policy Resolution Policy Element (Agent/Plugin) Policy Update Operating System Render to configurationDevice Subset of Policy Device Config (VLANs, Ports, …)
  24. 24. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Partner ACI Integration ETA Palo Alto Network •  Automation of security policies and central point of mgmt through APIC - Q2CY15 A10 •  SLB policy automation, service chaining & insertion, health score OK Check Point •  Automation of security policies and central point of mgmt through APIC OK Radware •  Automation of ADC and DDoS policies, with central point of mgmt through APIC - OK Cisco CSR •  Automation of NAT and SGT policies (under discussion), with central point of mgmt Q3 CY15 Cisco WAAS •  Automation of WAN Optimization policies, with central point of mgmt through APIC Q3 CY15 Fortinet •  Automation of security policies and central point of mgmt through APIC TBD Riverbed •  Automation of virtual ADC & WAN Opt policies, with central point of mgmt through APIC TBD F5 •  BIG-IP physical and Virtual Edition – v 11.4.1 OK Citrix •  Netscaler MDX,SDX, •  VPX – v 10.1.e NetScaler1000v OK Cisco ASA •  ASA 5585 – v 8.4 •  ASAv – v 9.2.1 OK Cisco Sourcefire OK
  25. 25. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 VM Attributes -  Security -  Load balancing -  Monitoring -  Control @ ZONE2 VM VM C C C ZONE1 VM VM ZONE3 Network -  Security -  Load balancing -  Monitoring -  Control -  Security -  Load balancing -  Monitoring -  Control VM Attributes - IP - Port - DNS - IP - Port WEB Vlan 500 WEB NVGRE 9730 Port Group WEB Vlan 500 VM Network APP NVGRE 9730 P P VM VM
  26. 26. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 VM Attributes -  Security -  Load balancing -  Monitoring -  Control @ ZONE2 VM VM C C C ZONE1 VM VM ZONE3 Network -  Security -  Load balancing -  Monitoring -  Control -  Security -  Load balancing -  Monitoring -  Control VM Attributes - IP - Port - DNS - IP - Port Port Group WEB Vlan 500 VM Network APP NVGRE 9730 P P VM VM ACI Fabric -  Centralized Control-Plane (Hybrid mode) -  IP Network with integrated overlay (VXLAN) -  Full IP mobility -  Distributed gateway and optimal forwarding -  Designed for 1M hosts + Cisco network innovations
  27. 27. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 P P Congestion Management 60% 60% 90% Dynamic Load Balancing Dynamic Packet Prioritization
  28. 28. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Congestion Management 60% 60% 90% Dynamic Load Balancing Dynamic Packet Prioritization 100 150 200 250 300 ACI Traditional Network Time (s) Big data Use Case
  29. 29. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Remove the problems of forcing the network to fit Forwarding is defined by Policy EPG ‘ZONE1’ can talk to EPG ‘ZONE2’ independent of IP subnet, VLAN/VXLAN, VRF if Policy says it should in the application network profile Multiples sources 1 source % of Implemented hypervisor 802.1Q VLAN 55 NVGRE VSID 5165 VXLAN VNID 8765 10.10.11.12 VRF Retail Bank 10.10.11.12 VRF Shared 192.168.11.3 VRF Storage True ‘Any to Any’ Connectivity Forwarding within the Fabric is defined by forwarding policy defined by the Network Profile (EPG) policy, ‘not’ by the VLAN, VXLAN, Subnet, VRF, … Port 1/4 Port 8/2 Agnostic server connections Workload independent Coherency and automation P P
  30. 30. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 P P @ @ ZONE2 VM VM ZONE1 VM VM ZONE3 VM IP services could be directly managed by APIC Packet match on a redirection rule sends the packet into a services graph. Service Graph can be one or more service nodes pre- defined in a series. Service graph simplifies and scales service operations Ecosystem : automation thru the insertion of “device packages” (version, device, rules ) Other equipment : integration by scripting VM
  31. 31. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Network « Application » P P
  32. 32. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 P P Packets(sent(from(Leaf(#2( to(Leaf(#5( Path(1( 2068( Path(2( 2963( Path(3( 2866( Path(4( 2506( Difference( Path(1( 2( Path(2( 0( Path(3( 13( Path(4( 0( Packets(Received(on(Leaf(#5(sent( from(Leaf(#2( Path(1( 2066( Path(2( 2963( Path(3( 2869( Path(4( 2506( Consistancy of the counters (atomic) inside the Fabric Latency computation (IEEE 1588) Granularity from the TCP port to the EP belonging to an EPG
  33. 33. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Application-Level Visibility Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters ZONE1 ZONE2 ZONE 3 Event ZONE1 Dev •  Leaf 1 and 2 •  Spine 1 – 3 •  Atomic counters ZONE2 PROD •  Leaf 2 and 3 •  Spine 1 – 2 •  Atomic counters ZONE3 QA •  Leaf 3 and 4 •  Spine 2 – 3 •  Atomic counters VXLAN Per-Hop Visibility Physical and Virtual as One ACI Fabric provides the next generation of analytic capabilities Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption Integrate with workload placement or migration Triggered Events or Queries APIC
  34. 34. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 APIC NEXUS 9500 and 9300POLICY MODEL
  35. 35. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 High-Performance 10 Gbps/40 Gbps/100 Gbps Switch Family FLEXIBLE FORM FACTORS CAN ENABLE VARIABLE DATA CENTER DESIGN AND SCALING Nexus® 9300 Nexus 9500 48 1/10G SFP+ & 12 QSFP+ SCALABLE1GE/10Gbps/40Gbps/100GE PERFORMANCE PERFORMANCE PORTS PRICE PROGRAMMABILIT Y POWER FCS Q4 2013 96 1/10G-T & 8 QSFP+ FCS Q1 2014 12-port QSFP+ GEM FCS Q1 2014 ACI Ready Leaf Line Card 48 1/10G-T & 4 QSFP+ FCS Q1 2014 ACI-ready Leaf line card 48 1/10G SFP+ & 4 QSFP+ FCS Q1 2014 Aggregation line card 36 40G QSFP+ FCS Q4 2013 C9500 8-Slot FCS Q4 2013
  36. 36. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Removing 40 Gb Barriers Problem •  40 Gb optics are a significant portion of capital expenditures (CAPEX) •  40 Gb optics require new cabling •  Re-use existing 10 Gb MMF cabling infrastructure •  Re-use patch cables (same LC connector) Solution •  QSFP, MSA-compliant •  Dual LC connector •  Support for 100 m on OM3 and upto 150m on OM4 •  TX/RX on two wavelengths at 20 Gb each Cisco® 40 Gb SR-BiDi QSFP Available end of CY13 and supported across all Cisco QSFP ports
  37. 37. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Software Upgrade Q4 CY2013 Standalone mode NX-OS APIC Since Summer 2014 Performance and Scale SecuritySimplicity OpenAgility Automation and VisibilityAgility Simplicity Visibility Performance Security Open ACI Mode
  38. 38. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Extend ACI to local hypervisors vSwitch   Extend ACI to WAN/DCI Interconnect to existing DC Networks Let me just run my network (but fix my Flooding, Mobility, Configuration, Troubleshooting challenges) AVS   AVS   Extend ACI to to existing Nexus installations via a full ACI VXLAN Switching Enabled Hypervisor ‘and’ remote ACI Physical Leaf vSwitch ABSOLUTELY NOT !!!
  39. 39. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 APIC 2K-7K Fabric AVSAVS Hosts Virtual Physical N9K ACI 9K ACI Leaf Overlay •  Full Policy & Management Model •  Seamless HW GWY integration APIC Hosts Virtual Physical ACI Policy Block EPG Extension •  Full Policy Model •  Zero impact to existing fabric 2K-7K Fabric Extend Integrate APIC N2K FEX N2K Integration in ACI Fabric •  Deploy N2K in ACI fabric WAN/DCI Or DC Core Nexus 7x00 APIC ACI Integrated N7K/ ASR9K DCI •  Automated DCI integration •  Large Scale Tenant Extension
  40. 40. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Nexus 2200 FEX Support •  Investment protection •  Cost-effective 100 Mbps / 1 Gbps server access •  FEX support scalability ̶  Up to 32 FEXs per Nexus® 9500 ̶  Up to 16 FEXs per Nexus 9300 Nexus 2248TP Nexus 2248TP-E Nexus 2232PP-10Gbps Nexus 2232TM Nexus 2232TM-E Nexus 2248PQ Nexus B22-HP Nexus B22-Dell
  41. 41. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 CiscoACI: SimplyABetterApproach ACI Systems + ASICs+ Software Choice: Hypervisor/Open Source/ Operational Models Scale-out Performance Systems Approach Secure Workload Placement Application Visibility + Health Metrics Common Policy Model Physical + Virtual LOWER TCO SIMPLICITY,SCALE,SECURITY “DIY” Basic Switching White Box Merchant Silicon Traditional Switching Integrated Hardware and Switching Software Software Only Virtual Overlay VM-Based Policy SDN LAN Emulation VM Mobility Application and End-point Aware Scale Limitations Operational Disruptions Dependent on Hypervisor
  42. 42. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 End of april 2015 2,655+ Nexus 9K and ACI Customers Globally 585+ APIC Customers APPLICATION COMPUTE NETWORK CLOUD STORAGE SECURITY 35 Ecosystem Partners
  43. 43. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Reduce Network Provisioning 58% Reduce Management Costs 21% Reduce Power and Cooling Costs 45% CAPEX Reduction 25% Compute and Storage Optimization 10–20% Greater Business Agility Lower Capital Expenses Reduced Costs/ Complexity Lower Operating Cost Resource Optimization
  44. 44. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 “It’s critical that we are able to deliver hundreds of thousands of transactions per second, so latency and 40G throughput is a number one concern. After evaluating numerous vendor solutions, Cisco's Nexus 9000 switching platform provided us with the best performance to support our evolving data centers, while protecting existing IT investments." Bob Hammond, CTO, Millennial Media “Symantec is an early adopter of Cisco's ACI, leveraging the technology within our own Agile Data Center. Cisco ACI brings the scalability and efficiency we need while enabling us to truly bring next generation networking capabilities to our customers.” Jon Sanchez, Director of Data Center Services, Symantec
  45. 45. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 Centralized Provisioning Tool Program abstraction model on physical infrastructure In charge of Infrastructure bring up and operations Telemetry with health checks per applications Automated Host Based Routing Fabric Encapsulation normalization Workload normalization (physical / virtual) Enhance applications performance Open System with public APS (North and South) Large ecosystem allowing unified provisioning through APIC New communications language aligned Applications Teams expectations
  46. 46. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 ZONE1 ZONE2 ZONE3 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4
  47. 47. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 First, we need a way to identify and group together end points. ZONE1 ZONE2 ZONE3 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4
  48. 48. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 In the ACI model, we do this using the End Point Group (EPG). EPG “ZONE1” EPG “ZONE2” EPG “ZONE3” EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4
  49. 49. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 A collection of EPGs and the policies that define how they communicate form an Application Profile. EPG “Web” EPG “App” EPG “DB”EPG “ZONE1” EPG “ZONE2” EPG “ZONE3” EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4
  50. 50. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 Once we have our EPGs defined, we need to create policies to determine how they communicate with each other. Contracts EPG “ZONE1” EPG “ZONE2” EPG “ZONE3” EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4
  51. 51. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 A contract typically refers to one or more ‘filters’ to define specific protocols, ports or services allowed between EPGs. Filters TCP: 80 TCP: 443 Services Chaining EPG “ZONE1” EPG “ZONE2” EPG “ZONE3” EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4 EP1 EP2 EP3 EP4

×