Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Centric Infrastructure (ACI)


Published on

Overview of ACI at the Colorado Springs Tech Day 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Application Centric Infrastructure (ACI)

  1. 1. Ross Adams ( Systems Engineer May 4, 2016 Application Centric Infrastructure (ACI)
  2. 2. 2 Network View of the World Application Presentation Session Transport Network Datalink Physical IDC
  3. 3. 3 Most other people’s…. API Default Gateway
  4. 4. 4 Configure Firewall Rules as Required by the Application Configure Network to Insert Firewall Configure Firewall Network Parameters Configure Load Balancer as Required by the Application Configure Load Balancer Network Parameters Configure Router to Steer Traffic to/from Load Balancer How we do things today…. Service insertion takes days Network configuration is time consuming and error prone Difficult to track configuration on services Compliance Risk (Left behind ACLs)Server vFW Switch Router FW Router LB Service Insertion in Traditional Networks
  5. 5. 5 “On-Boarding” Applications is Still Slow Performance Security Availability Scale Physical Servers Physical, Virtual Servers Physical, Virtual Servers Firewall Firewall Application Delivery Controller Intrusion Detection Application Delivery Controller Firewall Web Security Appliance Firewall Firewall Application Delivery Controller Intrusion Detection Storage Web cache Storage IT Organization Web App Tier DB Tier Application Team Compute Team Storage Team Network Team Security Team Compute Team Storage Team Network Team Security Team
  6. 6. 6 Network Automation
  7. 7. 7 Automating the Data Center Network Cisco’s DC SDN Strategy Programmable Network Open programmable NXOS Programmable Fabric Open Standards BGP EVPN Cisco ACI Open policy API Multi-cloud Ecosystem
  8. 8. 9 Cisco Application Centric Infrastructure The Most Comprehensive SDN Solution •  A SINGLE architecture to deliver performance, programmability, agility and Reduced Complexity •  An Application Centric Policy Model that dynamically defines the network fabric by means of the application requirements •  An AUTOMATED network fabric for virtual AND bare-metal workloads and services (hypervisor agnostic, container ready, etc.) •  Enterprise Scale and Performance requires hardware acceleration
  9. 9. 10 Understanding ACI Building Blocks
  10. 10. 11 ACI Fabric
  12. 12. 13 §  40G IP fabric supporting routing to the edge (100G capable) §  Scale to 6 spines, 200 leafs, 10k physical servers * §  Automated power-on provisioning to boot leaf and spine nodes IP Fabric with integrated overlay Physical Spine & Leaf Topology *
  13. 13. 14 §  Fabric leverages IS-IS for infrastructure topology routing §  Advertises loopback and VTEP addresses §  Responsible for generating the multicast trees in the fabric §  IS-IS tuned for a densely connected fabric IS-IS Level 1 IS-IS LSP’s IP un-numbered IS-IS Fabric Infrastructure Routing
  14. 14. 15 Logical Topology 15 ACI Spine Nodes ACI Leaf Nodes §  Integrated VXLAN routing and bridging §  Logical topologies are decoupled from the physical topology §  Distributed GW routing §  Standard bridging and routing without location constraints (any IP address anywhere) §  Removal of flooding requirements for IP control plane (ARP/GARP) §  Multi Tenant support for overlapping addresses IP Fabric with integrated overlay
  15. 15. 16 ACI Fabric Load-Balancing Focus on the Application Response Time •  ACI Fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane •  real-time measurements •  Fabric load-balances traffic on a ‘flowlet’ basis •  Fabric prioritizes small (and early) flowlets
  16. 16. 17 Application Policy Infrastructure Controller Policies API à  Distributed policy enforcement à  Just in-time resolution Performed by embedded policy enforcement agents (PEs) Spine Leaf
  17. 17. 18 Implementing Policy
  18. 18. 19 application What is an Application? More than just a VM Interconnected components VM VM … web VM VM … app DB DB … db internet External Private Network How do we define the network for the application? ?
  19. 19. 20 web app db The Outside a collection of end-points connecting to the network End Point Group Or VMware Port Group a set of network requirements specifying how application components communicate with each other Policy Access Control QoS L4 – L7 Services rules of how application communicates to the external private or public networks application web VM VM … VM VM … app DB DB … db Application Network Profile application-centric network policy Application Level Metadata Describes Application infrastructure dependencies
  20. 20. 21 ACI Application Network Profile (ANP) Policy-Based Fabric Management •  Application Network profile: stateless definition of application requirements ̶  Application tiers, Zones, ̶  Connectivity policies ̶  Layer 4 – 7 services ̶  XML/JSON schema •  Fully abstracted from the infrastructure implementation ̶  Removes dependencies of the infrastructure ̶  Portable across different data center fabrics ## App Network Profile: Defines Application Level Metadata (Pseudo Code Example) <Network-Profile = Production_Web> <App-Tier = Web> <Connected-To = Application_Client> <Connection-Policy = Secure_Firewall_External> <Connected-To = Application_Tier> <Connection-Policy = Secure_Firewall_Internal & High_Priority> . . . <App-Tier = DataBase> <Connected-To = Storage> <Connection-Policy = NFS_TCP & High_BW_Low_Latency> . . . App Tier DB Tier Storage Storage Web Tier Application The network profile fully describes the application connectivity requirements
  21. 21. 22 ACI End-Point Group (EPG) HTTPS Service HTTPS Service HTTPS Service HTTPS Service HTTP Service HTTP Service HTTP Service HTTP Service EPG - Web EPGs are a grouping of end-points representing application or application components independent of other network constructs. POLICY MODEL
  22. 22. 24 EPGs, Subnets and Policy EPGs separate the addressing of an application from it’s mapping and policy enforcement on the network. 10.10.10.x 10.10.11.x Policy/Security enforcement occurs at the EPG level HTTPS Service HTTPS Service HTTPS Service HTTPS Service HTTP Service HTTP Service HTTP Service HTTP Service EPG Web
  23. 23. 25 ACI Network Logical Constructs Tenant VRF - Context VRF - Context Bridge Domain Bridge Domain Bridge Domain EPGEPG EPG EPGEPG •  A tenant can have a single or multiple VRF’s or Contexts •  Each VRF can have a single or multiple Bridge Domains (BD) •  An End Point Group (EPG) is defined as a member of a VRF •  Forwarding policies rendered by the network reference an EPG’s associated BD and VRF/ Context EPG EPG EPG
  24. 24. 26 ACI Network Logical Constructs and IP Addressing •  Bridge-Domains support multiple subnets •  Address blocks do not need to be divided into per rack, per pod ranges •  Per Bridge-Domain support for flooding behavior •  non IP traffic, broadcast based applications Tenant VRF - Context VRF - Context Bridge Domain Bridge Domain Bridge DomainBroadcast Application Flooding Allowed Subnet Subnet Subnet
  25. 25. 27 ACI End Point Group Contracts EPG WEB EPG APP SERVER contract provider consumer Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location.… … … filter action filter action filter action filter action Subject classifiers to apply actions to L4 port ranges TCP options … identifies actions applied to the subject QoS Log Redirect into SVC graph … End points in EPG WEB can access end- points in EPG APP SERVER according to rules specified in the contract
  26. 26. 29 29 Extending Policy & Automation to L4-L7 Devices Building blocks of ACI Application Centric Infrastructure Building Blocks CONTROLLER POLICY MODEL NEXUS 9300 AND 9500 APPLICATION NETWORK PROFILE Traditional 3-Tier Application FW ADC WEB ACC APP DB L4-L7 Device Physical + Virtual Policy extended to L4-L7 Application: 3 tier application (WEB-APP-DB) è This may use ADC, FW services End point Group (EPG): Grouping of application Components Application Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
  27. 27. 30 Scalable, Consistent Approach to ACI Integration: Solution Partner Device Package for Cisco ACI APIC - Policy Manager Configuration Model (XML File) Script Engine APIC - Script Interface Python Scripts Cisco® Application Policy Infrastructure Controller (APIC) provides extensible policy model through device package APIC administrator can import Partner device package Device package is an XML file defining device configuration model and parameters required for Layer 4-7 use cases After it has been imported, APIC can configure Device functions and parameters Device scripts translate APIC and Cisco API™ callouts to device-specific callouts Device Package
  28. 28. 31 Opflex – A flexible, extensible policy protocol OPFLEX is a new extensible policy resolution protocol designed for declarative control of any datacenter infrastructure. OPFLEX was designed to offer: 1.  Abstract policies rather than device-specific configuration 2.  Flexible, extensible definition of using XML / JSON 3.  Support for any device – vswitch, physical switch, network services, servers, etc. APIC Opflex Agent Opflex Agent Opflex Agent Opflex Agent Opflex Proxy Hypervisor Switch Opflex Agent Firewall Opflex Agent ADC Opflex Agent Legacy API Policies à  Who can talk to whom à  What about à  Topology control à  Ops stuff
  30. 30. 33 Application Awareness Application-Level Visibility Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters PetStore Event PetStore Dev •  Leaf 1 and 2 •  Spine 1 – 3 •  Atomic counters PetStore Prod •  Leaf 2 and 3 •  Spine 1 – 2 •  Atomic counters PetStore QA •  Leaf 3 and 4 •  Spine 2 – 3 •  Atomic counters VXLAN Per-Hop Visibility Physical and Virtual as One ACI Fabric provides the next generation of analytic capabilities Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption Integrate with workload placement or migration Triggered Events or Queries
  31. 31. 34 ACI Development
  32. 32. 35 ACI Policy Extended to Docker Containers Project Contiv Offers Open Source Docker Integration for APIC Docker Kubernetes Mesos Container Management Future Unified Policy Automation and Enforcement Across Physical, Virtual, and Containers •  Open source project for defining operational policies for container deployment •  Includes Docker networking plugin and APIC API integration •  ACI policies can be extended across physical, virtual machines, and Docker containers •  Open source Project Contiv can be used to integrate Docker containers with ACI Project Contiv Solution Highlights Contiv Master Contiv APIC Plugin OVS Contiv Plugin HYPERVISORHYPERVISORHYPERVISOR Docker Host
  33. 33. 36 ACI Multi-Site Multi-Floor, Multi-Building, Cross Campus, Multiple Data Centers Over Distance L3 Network Stretched Fabric (Available Now!) Multi-Site (with ACI Toolkit) Policy Extended to WAN Multi-Pod / Multi-Site SITE 1 Datacenter SITE 2 Datacenter Single Management and Policy Domain Across Multiple Fabric Instances Consistent Policy Application Mobility Disaster Recovery Application Availability Q4 CY 2015 Futures DBApp Multisite App ACI Toolkit Multisite App ACI Toolkit DBApp
  34. 34. 37 Conclusion
  35. 35. 38 •  Simplified, Single Architecture performing both overlay and underlay functions •  Provides benefits of SDN + Policy without the complexity of a separate overlay and underlay •  Reduces Complexity and adds operational simplicity •  Distributed fabric Intelligence reduces engineering •  Pre-Architected, Pre-Validated, Pre-Hardened •  Optimal Traffic forwarding •  Location Independent Forwarding •  Congestion Monitoring •  Flowlet Switching •  Fabric Load Balancing •  Anycast Gateway •  Full Real-time Visibility •  Tenant Level •  Network Level •  Application Level •  Atomic Counters A Network A Network. Not a Network Emulation Full Visibility of Overlay and Underlay for telemetry and troubleshooting APIC
  36. 36. 39 •  Penalty Free, Low Latency network fabric •  <5 microsecond Latency port to port •  Inherent Line-rate stateless firewall •  Line-rate L2/L3 services implemented at the leaf •  Line-rate VXLAN integrated overlay •  128,000 Endpoints Supported •  6000 Physical Servers Supported •  Declarative Policy Model is highly scalable compared to imperative SDN Models •  Spine – Leaf penalty free fabric Penalty Free, Low Latency FabricScale Out Performance Enterprise Class network performance and scale built on integrated software and hardware
  37. 37. 40 •  Abstracted Policy model based on application requirements •  Declarative model based on the scalable control of intelligent objects •  Infrastructure operates as single system providing specific connectivity and services based on Application definitions •  Allows application developers to succinctly and easily describe Infrastructure as Code •  Policy allows Infrastructure and Dev Teams to use common requirements language to accelerate application deployment •  Every Software and Hardware component is a programmatic object •  Policy integration northbound with automation toolsets (e.g. OpenStack) and southbound with 3rd party network services vendors (e.g. F5) Simple, Scalable and Fast Common Policy Model APPLICATION NETWORK PROFILE Contract Contract EPG DBAPPWEB ADC F/W ADC EPGEPG Software Define Infrastructure based on the Application Requirements
  38. 38. 41 Physical Virtual •  A Single Fabric that seamlessly supports both Virtual and Physical Workloads •  No requirement for dedicated Gateways to integrate physical and virtual worlds •  Expressive Policy Model that provides complete Automation for Virtual and Physical L4-L7 services (Cisco and 3rd Party) •  Consistent policy enforcement across all workloads irrespective virtual and physical •  Agnostic to Hypervisor •  (ESX, Hyper-V, KVM, LXC) •  Agnostic to Host Based encapsulation •  (VXLAN, NVGRE, VLAN…) Not Everything is VirtualPhysical and Virtual ACI does not differentiate between the virtual and physical providing consistent policy and performance
  39. 39. 42 •  Single point of truth •  Health scores per application/tenant •  Application centric telemetry •  Self documenting network Fabric •  Real-time hop-by-hop visibility and telemetry •  Detailed information about the performance of individual endpoint groups and tenants •  Latency, packet drops, and traffic paths and can be sliced at the group or tenant level •  Full workload discovery and mobility •  Availability & performance business reporting •  Closed loop application performance feedback for development and production environments Full Infrastructure VisibilityApplication Visibility and Health Score Full Visibility of Overlay and Underlay for telemetry and troubleshooting Latency Health Score Isolation Systems Telemetry25 Packets dropped Latency Isolation Systems Telemetry 0 Packets dropped Health Score 0 0 0 7 0 0 0 6
  40. 40. 43 •  The entire ACI fabric is a firewall •  ACI offers the ability to integrate with many firewall vendors for more advanced inspection and filtering •  White List forwarding policy model (zero trust architecture) •  Simplifies complex and hard to manage firewall rule sets •  Automated Security Policy and Compliance •  Inherent Multi-Tenancy at scale •  Self Documenting Network •  Policy-based compliance with industry regulations (e.g. PCI, HIPAA) •  Deep visibility and accelerated threat response based on real-time and forensics network intelligence •  Security Policy extends to non-virtual workloads such as Databases, Mainframe, Unix systems, auto-scale clusters such as Hadoop Ubiquitous Security Secure Workload Placement Single network fabric providing full visibility increases security threat detection and reduces response time
  41. 41. 44 •  APIC manages the network as a single entity •  RBAC for infrastructure and architecture teams •  Fully published Policy and Object model through northbound REST API •  Consume ACI with any cloud management platform (e.g. UCSD, OpenStack, etc.) •  Simple management through APIC UI including Policy Definition, Service Chaining, Telemetry and Application Health Scores •  Zero Touch Fabric Automation including Power on Auto-provisioning and cable plan enforcement •  Automates Common practices such as upgrades and configuration •  Automate third party network services using OpFlex or Device packages Single API – Single Point of Control Full Network Automation Single API for Network Policy, Network Services, Physical and Virtual Workloads
  42. 42. 45 •  Open Restful API Northbound •  Open OpFlex Protocol Southbound •  (IETF Proposal) •  Any Hypervisor •  Any Cloud Management Platform •  OpFlex, transfers abstract policy between APIC and any device •  (Hypervisor switches, physical switches, and Layer 4 through 7 network services) •  Opflex allows Vendors innovate and expose new features in their platforms to controllers •  3rd Party Device Package allow integration with any vendor •  ACI Published SDK •  GitHub Repository for rich collaboration OPEN and AGNOSTICOpen Architecture Single API for Network Policy, Network Services, Physical and Virtual Workloads APIC
  43. 43. 47 Open Ecosystem Framework Full-Featured, Programmable API and Data Model Object-Oriented Centralized Automation RESTful XML / JSON Open Ecosystem Framework Comprehensive Programmability and System Access Northbound API •  Rapid integration with existing management frameworks •  OpenStack •  Tenant- and application-aware Southbound API •  Publish data model •  Open source •  Enables application portability System Management Hypervisor Management Automation Tools Orchestration Frameworks