Upload
proidea
View
82
Download
0
Tags:
Embed Size (px)
Citation preview
Cisco Confidential 1C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved.
Nick Martin
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
UCS DirectorOpenstack
UCS Manager
Application
PolicyInfrastructure
Controller
Converged Infrastructur
e
Managers
v
C
e
n
t
e
r
System
Center
Process Orchestrator 3rd Party
Orchestrators
IaaS PaaSSaaS
Capacity
planningIntercloud
Prime Services Catalogue Stack Designer
Intercloud
Fabric
VRA/ / BMC
etc
P
u
p
p
e
t
S
C
V
M
M
Charge
back
3rd
Party
CPU
O
D
L
Analytics and
Service Assurance
S
t
o
r
a
g
e
Manual
Processin
g
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Apic
Fabric ControllerACI Spine Nodes
ACI Leaf Nodes
• ACI Fabric provides:
‒ Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology
‒ Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, IETF NVGRE
‒ Distributed Layer 3 gateway to ensure optimal forwarding for Layers 3 and 2
‒ Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)
‒ Service insertion and redirection
‒ Removal of flooding requirements for IP control plane (ARP, GARP)
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing
‒ All end-host (tenant) traffic within the fabric is carried through the overlay
‒ Mobility,
‒ “Carrier grade“ multi-tenancy
‒ Integration with emerging hypervisor designs
IP fabric with
integrated overlay
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Quick example: with 1,000 servers, 10% of those are100 physical workloads!
• If you take 30 VMs/host, the remaining 900 VMs would fit in30 physical hosts
• You would have more than three times the racks with bare-metal servers than racks with VMs(assuming all servers have the same size)
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
VXLAN
VNID = 5789VXLAN
VNID = 11348
NVGRE
VSID = 7456
Any to Any
802.1Q
VLAN 50
Normalized
Encapsulation
Localized
Encapsulation
IP Fabric Using
eVXLAN Tagging
PayloadIPVXLANVTEP
• All traffic within the ACI Fabric is encapsulated with a VXLAN header
• External VLAN, VXLAN, NVGRE tags are mapped at ingress to an internal VXLAN tag
• Forwarding is not limited to, nor constrained within, the encapsulation type or
encapsulation ‘overlay’ network
• External identifies are localized to the Leaf or Leaf port, allowing re-use and/or translation
if required
Payload
Payload
Payload
Payload
Payload
Eth
IPVXLAN
Outer
IP
IPNVGREOuter
IP
IP802.1Q
Eth
IP
Eth
MAC
Normalization of Ingress
Encapsulation
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35
• ACI Fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or
endpoint IP stacks
• ACI Fabric provides optimal forwarding for Layer 2 and Layer 3
‒ Fabric provides a pervasive SVI, which allows for a distributed default gateway
‒ Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint
• IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP
header (elimination of flooding)
Distributed Default Gateway Directed ARP Forwarding
APICAPIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• The forwarding table on the Leaf switch is divided between local (directly attached) and global entries
• The Leaf global table is a cached portion of the full global table
• If an endpoint is not found in the local cache the packet is forwarded to the ‘default’ forwarding table in the
spine switches (1,000,000+ entries in the spine forwarding table)
10.1.3.11 fe80::462a:60ff:fef7:8e5e10.1.3.35
Proxy A Proxy A Proxy B Proxy B
fe80::62c5:47ff:fe0a:5b1a
10.1.3.35 Leaf 3
10.1.3.11 Leaf 1
Leaf 4
Leaf 6
fe80::8e5e
fe80::5b1a
10.1.3.35 Leaf 3
Proxy A*
10.1.3.11 Port 9
Global station table
contains a local cache of
the fabric endpoints
Local station table
contains addresses of all
hosts attached directly to
the iLeaf
Proxy station table contains
addresses of all hosts attached
to the fabric
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
EFT Customer Scale
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
ACI is managed via Policy
ACI Fabric
Non-Blocking Penalty Free Overlay
App DBWeb
Outside
(Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
Application Policy
Infrastructure Controller
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Control & Audit Connectivity
(Security – Firewall, ACL, …)
IP Address, VLAN, VRF
Enable Connectivity
(The Network)
Application Requirements
IP Addressing
Application Requirements
Application Specific Connectivity
Dynamic provisioning of
connectivity explicitly defined for
the application
Application RequirementsApplication RequirementsRedirect and Load Balance Connectivity
IP Address, VLAN, VRF
ACI directly maps the application
connectivity requirements onto the
network and services fabric
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
APPLICATION VS. NETWORK TWO LANGUAGES
APPLICATION LANGUAGE
?
NETWORK LANGUAGE
• VLAN
• IP Address
• Subnets
• Firewalls
• Quality of Service
• Load Balancer
• Access Lists
• VRFs
• Application Tier Policy and
Dependencies
• Security Requirements
• Service Level Agreement
• Application Performance
• Compliance
• Geo Dependencies
• Tenants
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ACI policy model brings the concept of End-Point Group (EPG)
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
HTTP
Service
HTTP
Service
EPG - Web
EPGs are a grouping of end-points representing application or
application components independent of other network constructs.
POLICY MODEL
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Ex.: EPGs, Subnets and Policy
EPGs separate the addressing of an application
from it’s mapping and policy enforcement on the network.
10.10.10.x
10.10.11.xPolicy/Security
enforcement
occurs at the EPG
level
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
HTTP
Service
HTTP
Service
EPG Web
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Applying Policy between EPGs: ACI contracts
EPG A
EPGB
EPG CContract 02
The policy model allows for both unidirectional and bidirectional policies.
Contracts define the way in which EPGs interact.
Unidirectional
Communication
Bidirectional
CommunicationContract 01
Ex: ACI Logical Model applied to the “3-Tier App” ANP
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
P P P
App DBWeb
Outside
Client(s)
QoS
Filter
QoS
Service
QoS
Filter
Could be many VMs
Could be mix of physical/virtual machines
Mostly physical
resources
App
Network
Profile
P = Defined Policy
“The Application / Service”
ACI and Today’s 3-Tier applications
18
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Application Policy Model And Instantiation
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
DB Tier
Storage Storage
Application
Client
Web Tier App Tier
Application policy model: Defines the
application requirements (application
network profile)
Policy instantiation: Each device
dynamically instantiates the required
changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
DECLARATIVE VS IMPERATIVE
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Imperative Control
Ele
me
nts
Co
ntr
ol S
yste
mA
dm
in
Declarative Control
Policy Mgr
Control + Data Plane
APIC SDN Controller
Policy Mgr + Control Plane
Data Plane
OpenFlow + OVSDBNo standard protocol exists
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Imperative has issues
Failures often need to be resolved by Controller
No paper
Requires all knowledge in Controller
Needs to know who has what
Uses lowest common denominator set of features.
Controller becomes bottleneck
Many requests being issued
Lots of error handling
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
vCenter DVS SCVMM
Relationship is formed between APIC and Virtual Machine Manager (VMM)
Multiple VMMs likely on a single ACI Fabric
Each VMM and associated Virtual hosts are grouped within APIC
Called VMM Domain
There is 1:1 relationship between a Virtual Switch and VMM Domain
VMM Domain 1
Control Channel - VMM Domains
vCenter AVS
VMM Domain 2 VMM Domain 3
24
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
+• Software-only overlays and hardware networks do not exclude each other per definition.
• If an organization wants to run a software overlay like NSX or Nuage, ACI is the best transport network they can run it on.
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
OpenStack Managed Network Workflow
2
ACI Admin
(manages physical
network, monitors tenant
state)
L/B
EPG
APPEPG DBF/W
L/B
EPG
WEB
Application Network Profile
Create End Point Groups
(any-any allow)
3
5ACI
Fabric
Push Policy
APIC
OpenStack Tenant
(Performs step 1,4) Instantiate VMs
Web WebWebWeb AppApp4
Create Network, Subnet,
Security Groups
NEUTRON ROUTERSECURITY
GROUP
1
DB DB
HYPERVISOR HYPERVISOR HYPERVISOR
NOVANEUTRON
NEUTRON NETWORK
Automatically Push
Network Profiles to
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Group Based Policy Workflow
2
ACI Admin
(manages physical
network, monitors tenant
state)
L/B
EPG
APPEPG DBF/W
L/B
EPG
WEB
Application Network Profile
Create Application Policy
3
5ACI
Fabric
Push Policy
APIC
OpenStack Tenant
(Performs step 1,4) Instantiate VMs
Web WebWebWeb AppApp4
Create Application Network Profile
1
DB DB
HYPERVISOR HYPERVISOR HYPERVISOR
NOVANEUTRON
Automatically Push
Network Profiles to
APIC
L/B
EPG
APPEPG DBF/W
L/B
EPG
WEB
Application Network Profile
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
ACI is managed via Policy
ACI Fabric
Non-Blocking Penalty Free Overlay
App DBWeb
Outside
(Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
Application Policy
Infrastructure Controller
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Innovation Driving Application Performance
Congestion Management
60% 60%
90%
Network Innovations
Dynamic Load Balancing
Dynamic Packet Prioritization
Network Utilization
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Application AwarenessApplication-Level Visibility
Actions:
No new hosts or VMs
Evacuate hypervisors
Re-balance clusters
PetStore Event
PetStore Dev• Leaf 1 and 2
• Spine 1 – 3
• Atomic counters
PetStore Prod• Leaf 2 and 3
• Spine 1 – 2
• Atomic counters
PetStore QA• Leaf 3 and 4
• Spine 2 – 3
• Atomic counters
VXLAN
Per-Hop Visibility
Physical and
Virtual as One
ACI Fabric provides the next generation
of analytic capabilities
Per application, tenants, and
infrastructure:
• Health scores
• Latency
• Atomic counters
• Resource consumption
Integrate with workload placement or
migration
Triggered Events
or Queries
APIC
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
1. Extend L2 into ACI
2. Configure ACI for this L2 extension
3. Create new EPG and contracts for the workloads to move into
4. Move Workloads
5. Move HSRP Default Gateway over to ACI
6. Turn off the existing Network
Easy.
( you can do 4 and 5 in any order and might choose never to do 6!)
C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
ACI and Nexus 9000Business Outcomes and Benefits for Cisco IT
Reduce Network
Provisioning
58%Reduce
Management
Costs
21%Reduce Power
and Cooling
Costs
45%CAPEX
Reduction
25%Compute and
Storage
Optimization
10–20%
Greater
Business
Agility
Lower Capital
Expenses
Reduced
Costs/
Complexity
Lower
Operating
Cost
Resource
Optimization