Solutii pentruSoftware Defined Network in DataCenter · Solutii pentruSoftware Defined Network in DataCenter ... CommonNX-APIacrossN2K-N9K MegaScaleDatacenters DB DB Web Web App Web

Solutii pentru Software Defined Network in DataCenter

George Boulescu, Consulting Systems Engineer, CCIE #15928

Cluj‐Napoca

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 2

SDN?

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3


4


Manual CLI

More Efficient Manual CLI

Powerful, Bulky Management Tools

(Steampowered Saw)

What We Want

5


Software Existing Tools

• Can be dangerous and unproven

• Excess of new tools

• Risk of choosing the tool before the

project

Power tools are still awesome

+What We're Seeing

6

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 7


• Automation is required to rapidly onboard

resources and applications

• Automation delivers consistency, accuracy,

repeatability and standardisation

• Move from silo management to unified

management

• Faster service delivery

IT

AutomationProgrammability


OnBox OneWay TwoWay

Effectiveness

CLI

SNMP

Interpreter(EEM, TCL, Python)

Linux Containers(Puppet/Chef)

Web Access

Bash

Openflow

NetConf

API(onePK, RPC, REST)

Opflex


Snowflake Silos MultiDomain Private Cloud

Effectiveness

Cut & Paste/Excel

Automation/Orchestration(UCS Director, ICF, OpenStack, ODL)

Puppet/Chef

Scripts

PoAPProfiles/Policy& controllers InfrastructureAPI

IaaS

PaaS

Portal Services(Prime Service Catalog)


Forward

Process

Reporting

Forward

Process

Reporting

Forward

Process

Reporting

Automation Software Application

API

Application

API API API

Device API


• Far Reaching – Add an API to nearly anything

• A software change – not hardware

• Network problems are management issues – not a lack of features/protocols

• Examples:

NXAPI (Nexus)

Netconf/YANG (ISP)

OnePK (ISR / Catalyst)

REST/JSON (industry)

Linux tools BASH, LXC, Configuration Management


Forward

Process

Reporting

Forward

Process

Reporting

Forward

Process

Reporting

Controller

Control Protocol(OpenFlow, BGPPCEP, etc)

Application

Reporting API

Application


Forward

Process

Forward

Process

Forward

Process

VM VM VM VM VM VM

Overlay NetworkLB

FW

NAM

VM VM VM

Network Function Virtualization (NfV)


• Attractive – can run on existing networks

• Overlay and Underlay:

May not reduce the complexity – duplicating network configuration

Operational issues if not in unison

• Allows for smaller, simpler, virtual networks

• Alleviates application mobility and scale issues

• Examples:

VXLAN

NVGRE

STT


Hybrid Model“SDN” Approach

Data Plane Data Plane

Control Plane

Data Plane…

Control Plane

Data Plane

Networks can be built with all 3 – Overlays, Programmability, and Controllers

Current Switch/Router

APIs APIs APIs

Controller Controller

Control Plane

Data Plane


Doppler

Northstar

Nexus 3000

Nexus 9000

CSR

vASA

vIPS

TailF

OpenDaylight

COSC

Puppet Agents

ContainersUCS Director

Openstack

APIC + ACI

APIC EM

Github WAE, BW Calendaring


Cisco’s Approach to SDNProviding Choice withAutomation and Programmability

Cisco ACI Programmable NetworkProgrammable Fabric

Modern NX-OS withenhanced NX-APIs

Automation Ecosystem

(Puppet, Chef, Ansible, etc.)

Common NX-API across N2K-N9K

Mega Scale Datacenters

DB DB

Web Web App Web App

VxLAN-BGP EVPN standard-based

3rd party controller support

Choice of Cisco Solutions

Service ProvidersPublicCloud

Turnkey integrated solution

Embedded security,

centralized management, and scale

Automated application

centric-policy model

Broad and deep ecosystem

Small and Large Enterprises,Public Sector, Private/Hybrid Cloud


Programmable Network


Rewind: Network Administration

•

•

“Same as it ever was…”

Key Innovation: Notepad

Box Centric


From Servers To Networks

Shift from manuallyconfiguring every

server, OS, and virtual

machine -> Operating a

nimble set of

infrastructure at scale

1 Server Admin:Hundreds of Servers

->

1 Server Admin:

Thousands of Servers

From CLI + Bashscripts + Reactive

configuration ->

Orchestrated

configuration and

integration with

development

Open NX-OS - Automation for D.I.Yand DevOps

3rd Party DevOpsAutomation Tools

ProgrammableOpen APIs

Customized developmentand integration to

operationalize Nexus

Zero TouchProvisioning

Use existing servermanagement tools toautomate network

Object-based, model drivenAPIs (RESTful XML/JSON)

Toolset integrationinto Open NX-OS

Simplify Day-0 fabricautomation with Open

Source tools

Bootstrap network withPOAP, Ignite and PXE

OPManaging Switch with

Linux Tools

Unified managementacross the compute and

network

Open Kernel, RPMsupport, Linux network

tools

PXE

What Is NX-API

HTTP-BasedProgrammatic Access

to Nexus Platforms

(HTTP/HTTPS)

Configuration andManagement

Capabilities of the NX-

OS CLI with web-

based APIs.

Generate CLIsoutput (off box) in

XML or JSON format

• Situation:

• Nexus switches are often deployed in pairs.

• Challenge:• Configuration/parameters need to match, forexample with topologies that use FabricPath orVPC

• Solution:

• Use a Python Script to:o Call Show Commands via NXAPI

o Compare the VLANs on all the switches

o Configure missing VLANs.

o Benefits:

o Reduced time

o Improved efficiency

NXAPI & Python Use Case

Python Scripting ExampleServiceability – Reduce Time-to-Resolution

Customer

IT Engineer

ping

show ip route

show ip arp

show mac address-table

show port-channel interface

show interface

Python Scripting ExampleServiceability – Reduce Time-to-Resolution

INSIEME# detailson 192.168.208.2

Details for IP Address: 192.168.208.2

+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+

| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |

+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+

| 192.168.208.2 | 0.00% packet loss | 10.1.1.1, ospf-1 | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |

| | 0.494/3.455/15.219 ms | | | | | 0 output errors | Eth1/2(P)+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+

Enter Next IP to get details on (Press 0 to exit): 10.1.1.1

Details for IP Address: 10.1.1.1

+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+

| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |

+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+

| 10.1.1.1 | 0.00% packet loss | attached | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |

| | 0.578/0.67/0.945 ms | | | | | 0 output errors | Eth1/2(P) |

+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+

Enter Next IP to get details on (Press 0 to exit):

Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 27

Programmable Fabric

•

•

•

Need to respond faster to businessdemands

Rapid rollout of fabric infrastructure

Minimize errors and fabric downtime

DC Fabric Deployment & ManagementChallenges

Need a New Simpler Approach!Manual Provisioning models don’t work anymore!

•

•Automation based on knowledge of

underlying fabric architecture

•Designed to simplify fabricmanagement

through its various lifecycle phases

•Initial support for Cisco Nexus 9000 Familyrunning stand-alone NX-OS mode

•Delivered via VXLAN-based architecture

Cisco Nexus Fabric Manager (NFM)

Intelligent fabric lifecycle management

Fabric-wide focus – auto-configuration andmanagement of fabric

FabricManagement Lifecycle

Creation Expansion

FaultsReporting

Connection

FABRICMANAGER

1. Create a fabric

• NFM creates and manages HA-enabled fabric

2. Add a new switch to the fabric

• NFM discovers, adds, and configures new switch

3. Create a broadcast domain

• NFM creates and manages VLANs and VXLAN topology

Assign VNID fromNFM managed pool

Establish VLANport membership

Map VLAN to VNIDon target leafs

Attach VNID toVTEP

•

Focus on Fabric Management Workflows

NFM optimizes fabricmanagement workflows• Help network ops quickly support business needs

• Switch featuresmanaged based on workflows

Sample fabric management workflows

Add to broadcastdomain

Assign VLAN fromNFM managed pool

Buildbroadcastdomain

• Heavy reliance on CLI – time consuming

• This doesn’t include host-facing vPCs or VRFs

• Need to repeat many steps above per

broadcast domain

CLI-Jockey : Building a Fabric – Day 0-1Steps required to build fabric and establish connection between two devices

OSPF

Spanning

Tree

VLANs

BGP

vPCs

NTP

AAA HSRP VRFsQoS

1. Rack and Cable

• Rack all switches, note serial

numbers for future reference• Run cables between switches• Note in spreadsheet all connections• Attach management interfaces

•••••

2. Power-up and Initial Config

Power all switches, attach console

Complete initial config dialogAssign mgmt IP addr, default routeUpgrade switch software if requiredEnable L3 interfaces on spines

3. Setup Common Config

• Verify all connections using show

CDP neighbor – per switch• Configure common featuresincludingNTP, SNMP, Syslog,AAA, usernames per switch, etc.

5. Setup UnderlayRouting

• Create addressing plan for underlay

• Configure point-to-point subnetsbetween switches

• Configure loopback interfaces• Configure IGP (eg. OSPF)

6. Setup BGPRouting, EVPN

• Establish neighbor configuration

per peer, per switch• Establish EVPN configuration perpeer, per switch

7. Build Broadcast Domain

• Refer to spreadsheet from step 1

• Assign newVLAN for BD in eachleaf switch

• Add host ports toVLAN in eachapplicable leaf switch

ISLs

8. Build VXLAN/EVPNConfig

• Establish VNI/VLANmapping on

each switch• Configure VTEP on each switch• Configure EVPNon each switch• Test connectivity

Port Channels

4. Setup Initial Topology

• Refer to spreadsheet from step 1

• Configure switch-facing interfacesto L3 mode

• Configure all portchannels withinfabric via CLI – time consuming

Broadcastdomain

Switchpool

NFM

NFM : Building a Fabric – Day 0-1Steps required to build fabric and establish connection between two devices

numbers for future reference

(*optional*)

• Run cables betweeen switches

• Attach management interfaces

1. Rack and Cable

• Rack all switches, note serial

• Complete initial config dialog

• Assign mgmt IP addr, default route,

username/pw for NFM

2a. Power-upand Initial Config

• Power all switches, attach console

• Set basic boot script within POAPto assign IP_addr, default gateway,and username/password

• Power all switches

2b. Power-up andPOAP

•

•

Very simplified procedure to go fromboxes of switches to a functioning fabric

3 clicks and you have a full VXLAN/EVPN

fabric with communicating devices

•

•

Ignite (POAP) eliminates need to assigninitial IP_Addr and credentials to switches

User asks for broadcast domain, NFM

handles full VXLAN configuration

for fabric discovery

• Select all discoveredN9K switches

and set them to managedmode via

group edit

3. Discover Fabric

• Enter seed switch IP into NFM UI

✶click✶

✶click✶

and choose create new broadcast

domain

• Test connectivity

4. Setup Broadcast Domain

• Select discovered host devices

✶click✶

vCenter

RESTAPI

VTS

GUI

Programmable Fabric

Across Nexus Portfolio

Nexus 2K – 9K

AutomatedSeamless integration with Orchestrators

Overlay provisioning and DCI/WAN integration

Scalable VXLANManagementMP-BGP EVPN control plane

High performance virtual forwarding

Open and ProgrammableREST Northbound APIs

Multi-protocol and Multi-hypervisor support

Virtual Topology System (VTS)Overlay Provisioning & Management System

Flexible OverlaysPhysical and virtual overlays

Bare-metal and Virtualized workloads

Cisco ConfidentialCisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 34

Application Centric Infrastructure

GROUP-BASED

POLICIES

ACI

CONTROLLER

Best SDN Controller

Interop 2015

Application Centric InfrastructureCisco’s SDN Solution for Data Center Networking

Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility

Integrated GBP VXLAN Overlay

ACI FABRIC

7

Momentum Continues to Grow

6,000+Nexus 9K and ACI

Customers Globally

50Ecosystem

Partners

1400+ACI

Customers

Mobile Phone

SIM Card

Identity for a Phone

UCSService Profile

Identity for a Server

UCS Service ProfileUnified Device Management

Network Policy

Storage Policy

Server Policy

Logical Provisioning of Stateless Hardware

Power of Abstraction

8

ACI Fabric:Logical Provisioning of Stateless Network

ACI Fabric

Application Profile

Identity for the Network

• Extend the principle of Cisco UCS®

Manager service profiles to the entire

fabric

• Network profile: stateless definition of

application requirements

−

−

−

−

Application tiers

Connectivity policies

Layer 4 – 7 services

XML/JSON schema

• Fully abstracted from the infrastructure

implementation

− Removes dependencies of the infrastructure

− Portable across different data center fabrics

9

All forwarding in the fabric is managed through the application network profile

• IP addresses are fully portable anywherewithin the fabric

• Security and forwarding are fully decoupled fromany physical or virtual network attributes

• Devices autonomously update the state of the network based on configured policy requirements

Policy instantiation:Each device

dynamically instantiates the required

changes based on the policies

VM VMVM

10.2.4.7

VM

10.9.3.37

VM

10.32.3.7

VMVM

Application policy model: Defines

the application requirements

(application network profile)

Application Policy Model and InstantiationApplication

Client

App Tier DB Tier

Storage Storage

Web Tier

10

Cisco ACI Fabric Multi-Tenancy Construct

M/LB/SPFlagsFlags/DR

EVNID == BD/VRFSource Class ID == EPG

• ACI Fabric leverages VXLAN Encapsulation to build

network overlay

•

•

VXLAN Source Group is used as a tag/label to identify the

specific end point for each application function (EPG)

Policy is enforced between an ingress or source application

tier (EPG) and an egress or destination application tier

(EPG)

• Policy can be enforced at source or destination

Coke-Tenant

Private Network 1

Private Network 2

Bridge Domain 1

Bridge Domain 2

EPG

EPG

Bridge Domain 3 EPG

Bridge Domain 4

EPG

EPG

Mapping the Configuration to the Packet

17

Apps

Infrastructure

Cisco ACI Fabric Multi-Tenancy Construct

Tenant “Coke”

Private Network 1 Private Network 2

Bridge Domain 172

Subnet 172.1.1.0/24

Subnet 172.1.2.0/24

…

Subnet 172.20.1.0/24

Bridge Domain 10

Subnet 10.1.1.0/24

Bridge Domain 100

Subnet 10.1.1.0/24

Subnet 10.1.2.0/24

…

EPG WEB

Policy “HTTP”

EPG APP

EPG DB

Policy “SQL”

EPG web

EPG app

Policy “HTTP”

EPG db

Policy “SQL”

19

Defining Application Logic Through PolicyApplications and Conversations

DBFarm

AppServersWeb

FarmUsers

•

•

Application communication can be defined as who is allowed to talk to whom.

Communication between objects on the network can be thought of as one or

two way conversations (monologue/dialogue.)

20

Defining Application Logic Through Policy

The Provider Consumer Relationship

Users

Consumes Web Services

ProvidesWeb Services

Web Farm

ConsumesApp Services

Provides App Services

AppServers

Provider consumer relationships define application connectivity in applicationterms. All objects can provide, consume, or both.

21

BuildingACI Contracts

Subject

Filter

TCP Port 80

Action

Permit

Label

WebAccess

Subjects are a combination of

A filter, an action and a label

Actions are policy options:

Permit the traffic

Block the traffic

Redirect the traffic

Log the traffic

Copy the traffic

Mark the traffic (DSCP/CoS)

Contracts define communication between source and destination EPGs.

The defined policy encompasses traffic handling, quality of service,

security monitoring and logging.

Filter | Action | Label

Contract 1

Subject 1

Subject 2

Subject 3

22

EXTERNAL

Cisco ACI Layer 4-7 Service Integration (1)

Application Profile

APP APP APP

APP DBAPPPolicyPolicy Policy

WEB WEB WEB

WEBDB DB DB

Func:Firewall

Func:Load Balancer

Service Graph: “WebGraph”

Func:Load Balancer

Service Graph:“appGraph”

Terminal: Input1 Terminal: Output1

24

Providers

ServiceProfile

Service

Graph

… …WebServer

AppServer

Cisco ACI Layer 4-7 Service Integration (2)

• Elastic service insertion architecture for

physical and virtual services

• APIC as central point of network control

with policy coordination

• Automation of service bring-up/tear-down

through programmable interface

• Supports existing operational model

when integrated with existing services

• Service enforcement assured, regardless

of endpoint location

Web TierAWeb

Server

App TierBWeb

Server

Policy Enforcement

Chain

“Security 5”

ApplicationAdmin

ServiceAdmin

begin endStage 1 ….. Stage N

inst

inst

Firewall

inst

inst

Load Balancer

……..

“Security 5” Chain Defined

25

L/BEPGAPP

EPGDBF/W

EPGWEB

VM VM VM

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

Hypervisor Integration with ACI

APIC

Application Network Profile

Relationship is formed between APIC and

Virtual Machine Manager (VMM)

ACI Fabric implements policy on Virtual

Networks by mapping Endpoints to EPGs

Endpoints in a Virtualized environment are

represented as the vNICs

VMM applies network configuration by placing

vNICs into:

Port Groups (VMWare),

VM Networks (Hyper-V)

Networks (OpenStack)

EPGs are exposed to the VMM as a 1:1

mapping to Port Groups, VM Networks or

OpenStack Networking.

27

Virtual Machines Containers

VM1

VM2

VM1

Docker1 Docker2

Full Stack Use CasesArchitecture = Choice in Cloud Management Platforms To Endpoints

vRealize

Bare Metal

Any Endpoint

Software Defined Network

Any Cloud ManagementPlatform

Infrastructure Intelligence

ForApps

Policy Based Automationfor Application Management CloudCenter

Manager

SAP App DeploymentAnd Governance

SecurePaaS

Real TimeInsights and Actions

SDN

Controller


Questions

Documents

Solutii pentruSoftware Defined Network in DataCenter · Solutii pentruSoftware Defined Network in DataCenter ... CommonNX-APIacrossN2K-N9K MegaScaleDatacenters DB DB Web Web App Web