Social Defined Networking

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Software Defined Networking

Jimmy Ray Purser, PE /MSEETechWiseTV


SDN

Software Defined Networking


Control Plane

Data plane

Control Plane

Data plane

Where/How to Send packet

Forwarding Packets

Control Plane

Data plane

Controller

NETops/DEVops

“…In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications…”

Source: www.opennetworking.org

Classical SDN Model


Cisco Approach NETWORKINGSoftware Defined

Control Plane

Data plane

Control Plane

Data plane

Where/How to Send packet

Forwarding Packets

Control Plane

Data plane

Controller

NETops/DEVops

Control Plane

Control Plane

PRESERVE

WHATS

WORKING

EVOLVE FOR

EMERGING

REQUIREMENTS

• Resiliency• Scale & Security• Rich Feature Set

• Operational Simplicity

• Programmability• Application Aware

REVOLUTIONEvolution NOT


Workflow and Intent

Programmability

Network Intelligence, Guidance

Statistics, States, Objects & Events

Applications

Services Orchestration

AnalyticsPolicyApplication + Network Security

NetworkHARVEST NETWORK INTELLIGENCE AND

SECURITY

Move to a Programmable Infrastructure


Harvest Network Intelligence through deep programmatic access to Cisco devices and software

• onePK

• Openstack

• REST

• ACI

Centralize control, configuration, policy monitoring and SDN applications

• Cisco XNC

• Open Daylight

• OpenFlow

• Puppet/Chef

• ACI

Build Scalable multi-tenant cloud infrastructures with consistent operational experience between physical and virtual

• Vxlan

• NVGRE

• ACI

Cisco ONE:Open Network Environment Strategy

Product

Cisco Confidential 7C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Introduction to Cisco Application Centric Infrastructure (ACI)


Cisco ACI Introduces Logical Network Provisioning of Stateless Hardware

Cisco® ACI Fabric

Scale-Out Penalty-Free Overlay

App DBWeb

QoS

Filter

Filter

Service

QoS

Filter

Outside(Tenant VRF)

Cisco Application Policy Infrastructure

Controller (APIC)


Cisco ACI Network ProfilePolicy-Based Fabric Management

• Extend the principle of Cisco UCS® Manager service profiles to the entire fabric

• Network profile: stateless definition of application requirements− Application tiers− Connectivity policies− Layer 4 – 7 services− XML/JSON schema

• Fully abstracted from the infrastructure implementation− Removes dependencies of the infrastructure− Portable across different data center fabrics

## Network Profile: Defines Application Level Metadata (Pseudo Code Example)

<Network-Profile = Production_Web> <App-Tier = Web> <Connected-To = Application_Client> <Connection-Policy = Secure_Firewall_External> <Connected-To = Application_Tier> <Connection-Policy = Secure_Firewall_Internal & High_Priority>. . . <App-Tier = DataBase> <Connected-To = Storage> <Connection-Policy = NFS_TCP & High_BW_Low_Latency>. . .

Application

The Network Profile Fully Describes the ApplicationConnectivity Requirements

Storage

App Tier DB Tier

Storage

Web Tier


Application Policy Model and Instantiation

All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements

Application Client

Application policy model: Definesthe application requirements (application network profile)

Policy instantiation: Each device dynamically instantiates the required changes based on the policies

VM VMVM

10.2.4.7

VM

10.9.3.37

VM

10.32.3.7

VMVM

App Tier DB Tier

Storage Storage

Web Tier


Application AwarenessApplication-Level Visibility

VXLANPer-Hop Visibility

Physical and Virtual as One

Cisco® ACI Fabric provides the next generation of analytic capabilities

Per application, tenants, and infrastructure: • Health scores• Latency• Atomic counters• Resource consumption

Integrate with workload placement or migration

Actions:No new hosts or VMsEvacuate hypervisorsRe-balance clusters

PetStore Event

PetStore Dev• Leaf 1 and 2• Spine 1 – 3• Atomic counters

PetStore Prod• Leaf 2 and 3• Spine 1 – 2• Atomic counters

PetStore QA• Leaf 3 and 4• Spine 2 – 3• Atomic counters

Triggered Events or Queries


Cisco ACI Layer 4 - 7 Service IntegrationCentralized and Automated and Supports Existing Model

• Elastic service insertion architecture for

physical and virtual services

• Helps enable administrative separation

between application-tier policy and

service definition

• Cisco® APIC as central point of network

control with policy coordination

• Automation of service bring-up/tear-down

through programmable interface

• Supports existing operational model

when integrated with existing services

• Service enforcement assured, regardless

of endpoint location

Web Server

Web Tier A

Web Server

Web Server

App Tier B

AppServer

Chain“Security 5”

Policy Redirection

ApplicationAdmin

ServiceAdmin

Ser

vice

Gra

ph

begin endStage 1 ….. Stage N

Pro

vide

rsinst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Ser

vice

Pro

file

“Security 5” Chain Defined


Multihypervisor-Ready Fabric

Hypervisor Integration

Network Admin

Application Admin

PHYSICALSERVER

VLANVXLAN

VLANNVGRE

VLANVXLAN

VLAN

ESX Hyper-V KVM

Hypervisor Management

Cisco® ACI Fabric• Integrated gateway for VLAN,

VXLAN, and NVGRE networks from

virtual to physical

• Normalization for NVGRE, VXLAN,

and VLAN networks

• Customer not restricted by a choice

of hypervisor

• Fabric is ready for multiple

hypervisors

Microsoft

VMware

Red Hat

VMware Microsoft Red Hat


Open Ecosystem FrameworkFull-Featured, Programmable API and Data Model

Object-OrientedCentralized Automation

RESTful XML/JSON

Open Ecosystem Framework

Comprehensive Programmability and

System Access

Northbound API• Rapid integration with existing

management frameworks• OpenStack • Tenant and application aware

Southbound API• Published data model - OpFlex• Open source - Dev. Package and

OVS• Enables application portability

SystemManagement

Hypervisor Management

AutomationTools

OrchestrationFrameworks

Hewlett-Packard

CA Technologies

ArborNetworks

NetBrain

NetQoS

SolarWinds

Tivoli Software

InfoVista

XenServer

Red HatKVM

Microsoft

VMware

Puppet Labs

OpscodePython

CFEngine

CloudStack

VMware

Nebula

OpenStack

Eucalyptus

XenServerRed HatKVM

Microsoft


A10 Networks

Palo Alto Networks

Citrix

Cisco

F5 Networks

ACI Services Extended into Any

Existing IP-Enabled Data Center

ACI Policy and Automation

Extended to Virtual Servers Through

Cisco AVS

ACI Policy and Automation Extended to Physical and Existing Virtual Servers Through Cisco Nexus®

9000 Series Switches

Cisco® ACI Enabled Layer 4 - 7 Virtual

and Physical Services (Support for Existing and New Services

Instances)

Cisco ACI It’s a Policy-Based ‘IP’ Network

Extending ACI Policy and Automation into the Existing Data Center

IP-Enabled DataCenter Network

Directory/Proxy Service Nodes

Border Leaves

Cisco APICPolicy

Controller

ACI LeafCisco Nexus9000 Series

ACI Virtual Leaf (AVS)

AVS

AVS

vSwitch


Cisco ACI Fabric Overview


Overview of the Cisco ACI Fabric

• Industry’s most efficient fabric− 1/10-Gbps edge – High-density 40-Gbps

spine (100-Gbps capable)− 1 million+ IPv4 and IPv6 endpoints− 64,000+ tenants− 220,000+ 1/10-Gbps hosts in a single tier 3:1

oversubscribed fabric

• Routed fabric – optimal IP forwarding− Bridging (Layer 2) and routing (Layer 3) of

VXLAN, NVGRE, and VLAN at scale− No x86 gateways – physical and virtual − Application agility – place and join without

limits in the fabric

• Full visibility into virtual and physical

• Common operations from hypervisor to computing, to fabric, to WAN

SpineInline overlay hardware database 288 x 40-Gbps portsHigher capacity and lower cost

Fabric Optimization Improved utilization1588 timing and Latency ECMP-based approaches

ScaleIntelligent caching Overlayhardware offload Improved analytics


Application Policy Infrastructure

Controller

Overview of the Cisco ACI Fabric

Cisco® ACI Spine Nodes

Cisco ACI Leaf Nodes

• Cisco ACI Fabric provides:− Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology

− Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, and IETF NVGRE

− Distributed Layer 3 gateway to help ensure optimal forwarding for Layers 3 and 2

− Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)

− Service insertion and redirection

− Removal of flooding requirements for IP control plane (ARP, GARP, DHCP, and Unknown Unicast)


Cisco ACI Fabric IP Network with an Integrated Overlay

• Cisco® ACI fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing− All end-host (tenant) traffic within the fabric is carried through the overlay

• The fabric is capable of supporting an arbitrary number of tiers and/or partial mesh if required

• Why choose an integrated overlay?− Mobility, scale, multitenancy, and integration with emerging hypervisor designs− Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)

IP fabric withintegrated overlay

Each node will be assigned loopback IP

address(es) advertised through IS-IS

IP unnumbered40-Gbps links


Cisco ACI FabricDecoupled Identity, Location, and Policy

• Cisco® ACI fabric decouples the tenant endpoint address - its identifier - from the location of that endpoint, which is defined by its locator, or VTEP address

• Forwarding within the fabric is between VTEPs (VXLAN tunnel endpoints) and takes advantage of an extended VXLAN header format, which makes use of the Reserved Bits in the VXLAN header

• The mapping of the internal tenant MAC or IP address to the location is performed by the VTEP, using a distributed mapping database

VTEP VTEP VTEP VTEP VTEP VTEP

PayloadIPVXLANVTEP


Cisco ACI Fabric Encapsulation Normalization

VXLANVNID = 5789

VXLANVNID = 11348

NVGREVSID = 7456

Any to Any

802.1QVLAN 50

NormalizedEncapsulation

Localized Encapsulation

IP Fabric Using VXLAN Tagging

PayloadIPVXLANVTEP

• All traffic within the Cisco® ACI fabric is encapsulated with an extended VXLAN header

• External VLAN, VXLAN, and NVGRE tags are mapped at ingress to an internal VXLAN tag

• Forwarding is not limited to, nor constrained within, the encapsulation type or encapsulation ‘overlay’ network

• External identifies are localized to the Leaf or Leaf port (future), allowing reuse and/or translation if required

Payload

Payload

Payload

Payload

Payload

EthIP

VXLANOuter

IP

IPNVGREOuter

IP

IP802.1Q

EthIP

EthMAC

Normalization of Ingress Encapsulation


Location-Independent ForwardingLayer 2 and Layer 3

10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35

• Cisco® ACI fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or endpoint IP stacks

• Cisco ACI fabric provides optimal forwarding for Layer 2 and Layer 3 − Fabric provides a pervasive SVI, which allows a distributed default gateway

− Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint

• IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header (elimination of flooding)

Distributed Default Gateway Directed ARP Forwarding


Scale EnhancementsInline Hardware Mapping DB - 1,000,000+ Hosts

• The forwarding table on the leaf switch is divided between local (directly attached) and global entries

• The leaf global table is a cached portion of the full global table

• If an endpoint is not found in the local cache the packet is forwarded to the default forwarding table in the spine switches (1,000,000+ entries in the spine forwarding table)

10.1.3.11 fe80::462a:60ff:fef7:8e5e10.1.3.35

Proxy A Proxy A Proxy B Proxy B

fe80::62c5:47ff:fe0a:5b1a

10.1.3.35 Leaf 310.1.3.11 Leaf 1

Leaf 4

Leaf 6fe80::8e5efe80::5b1a

10.1.3.35 Leaf 3

Proxy A*

10.1.3.11 Port 9

Global station table contains a local cache of

the fabric endpoints

Local station table contains addresses of all hosts attached directly to the leaf

Proxy station table contains addresses of all hosts attached

to the fabric


Cisco ACI Fabric Load BalancingFocus on the Application Response Time

• Cisco® ACI fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane (real-time measurements)− Congestion on switch-to-switch ports

(external wires)

− Congestion on internal ASIC-to-ASIC connections (internal wires)

• Fabric load-balances traffic on a “flowlet” basis− Dynamic shedding of active flows from congested to

less congested paths

• Fabric prioritizes small (and early) flowlets− Provides DC-TCP behavior without having to modify

host stacks

− Ramps up large TCP flows faster


Improved Application PerformanceFabric Efficiency

• Improve fabric capacity of the fabric (resulting in more VMs per port)• Improve application response over standard ECMP

Dynamic Load Balancing and Dynamic Flow Prioritization

00.10.20.30.40.50.60.70.80.9

1

0.12 0.21 0.20Nor

ma

lize

d A

vera

geF

low

Com

ple

tion

Tim

e

Small Flows(0,100 KB)

Medium Flows(100 KB, 5 MB)

Large Flows(5 MB, Inf)

Cisco® ACI Dynamic Load Balancing+ Flow Prioritization

Standard ECMP Network

Up to 80% improvement in application flow completion timeUp to 60% improved utilization of the fabric capacity


Telemetry TEP-to-TEP Atomic Counters

• TEP-to-TEP counters− Packet and byte counts between all leaf TEPs

− Matrix of load to and from each leaf to all other Leaves

− Always active; level of granularity is TEP to TEP

Odd Bank Even Bank

TEP-to-TEP Atomic Counters


TelemetryAtomic Counters

Path 1 Path 2 Path 3 Path 4

Packets Sent from Leaf 2to Leaf 5

Path 1 2068

Path 2 2963

Path 3 2866

Path 4 2506

Difference

Path 1 2

Path 2 0

Path 3 -3

Path 4 0

Packets Received on Leaf 5 Sent from Leaf 2

Path 1 2066

Path 2 2963

Path 3 2869

Path 4 2506


Telemetry Fabric Latency Measurements

• Matrix of latency measurements between all leaves is tracked at each leaf• Per-port average latency and variance to up to 576 other leaves

�̶ Maximum accumulation, sum of square, and packet count

• Per-port 99% latency (recorded to up to 576 other leaves)�̶ 99% of all packets have recorded latency less than this value

• 48-bucket histogram

BoundaryClock

PTP Time Sync

External Clock Source (Pulse per Second [PPS]) on Each Supervisor in the Spine

Chassis


Cisco ACI Fabric64,000+ Dedicated, One-Hop Tenant Networks

• 1 million+ IPv4 and IPv6 (post-FCS) endpoints within a single fabric• 64,000+ tenants within a single fabric• 200,000+ 10-Gbps ports• Any service anywhere for physical and virtual• Normalizes encapsulations for VXLAN, VLAN, and NVGRE

�̶ No need for additional software or hardware gateways to connect between physical and virtual�̶ No latency penalty and no throughput penalty

VM VM DB

QFP

VM VM DB

QFP

VM VM DB

QFP

VM VM DB

QFP


Cisco ACI FabricTenants, Private Networks, Bridge Domains, EPGs, etc.

Tenant “University”

PN “Engineering” PN “Business”

Subnet 172.1.1.0/24Subnet 172.1.2.0/24

…Subnet 172.20.1.0/24

EPG Web

EPG App

Bridge Domain 172

Subnet 10.1.1.0/24

EPG DB

Bridge Domain 10

Policy “HTTP”

Policy “SQL”

Subnet 10.1.1.0/24Subnet 10.1.2.0/24

…

Bridge Domain 100

EPG App

EPG Web

EPG DB

Policy “HTTP”

Policy “SQL”

Infr

astr

uct

ure

App

s


Layer 4-7 Services Integration


Goals of Cisco APIC Service Insertion and Automation

• Configure and manage VLAN allocation for service insertion

• Configure the network to redirect traffic through service device

• Configure network and service function parameters on service device


Automate Service Insertion through Cisco APIC

Endpoint group (EPG): Collection of similar endpoints identifying a particular application tier. Endpoint could represent VMs, VNICs, IP, DNS name, etc.

Application profile: Collection of EPGs and the policies that define way EPGs communicate witheach other

EXTERNAL

Application Profile

APP APP APP

APP APPDBAPPPolicyPolicy PolicyWEB WEB WEB

WEB DBDB DB DB


Application Policy

Consumes

Contract

DB ContractMSSQL: AcceptMySQL: Accept HTTP: Accept, Count

FilterNamed collection of L4 port ranges• HTTP = [80, 443]• MSSQL = [1433-1434]• MySQL = [3306, 25565]• DNS = [53, 953, 1337, 5353]

ActionWhat action or actions to take on packet• Accept• Service Insert• Count• Copy (future software release)

Provides

EPG - APP EPG - DB

APPDBAPPDBDB DB DBAPP APP APP

APP


Service Automation Through Device PackageDevice PackageDevice Specification<dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>

Cisco APIC – Policy Element

Device Model

Device-Specific Python Scripts

Cisco APIC Script Interface

Script Engine

APIC Node

• Service automation requires a vendor device package. It is a zip file containing− Device specification (XML file)

− Device scripts (Python)

• Cisco® APIC interfaces with the device using device Python scripts

• Cisco APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts

• Device script handlers interface with the device using its REST or CLI interface

Device Interface: REST/CLI

Service Device

Service automation requires a vendor device package. It is a zip file containingDevice specification (XML file)Device scripts (Python)


Service Function Graph

Func: Firewall

Func: SSL offload

Func: Load Balancing

Terminals TerminalsConnectors

Service Graph: “web-application”

Functions rendered on the same device

Firewall paramsPermit ip tcp * dest-ip <vip>dest-port 80Deny ip udp *

SSL paramsIpaddress <vip> port 80

Load-Balancing paramsvirtual-ip <vip> port 80 Lb-aglorithm: round-robin


Service Insertion

EXTERNAL

Application Profile

APP APP APP

APP APPDBAPPPolicyPolicy PolicyWEB WEB WEB

WEB DBDB DB DB

Func: Firewall

Func: Load Balancer

Service Graph: “WebGraph”

Func: Load Balancer

Service Graph:“appGraph”

Terminal: Input1 Terminal: Output1


Multihypervisor Integration


Hypervisor Interaction with Cisco ACI

Integrated Mode

• Cisco ACI fabric as a policy authority

• Encapsulations normalized and dynamically provisioned

• Integrated policy domains across physical and virtual

APP WEB DB DB

Nonintegrated Mode

• Cisco® ACI fabric as an IP-Ethernet transport

• Encapsulations manually allocated

• Separate policy domains for physical and virtual

VLAN10

VLAN10

VXLAN10000


Hypervisor Integration with Cisco ACIControl Channel - VMM Domains

• Relationship is formed between Cisco®

APIC and Virtual Machine Manager (VMM)

• Multiple VMMs likely on a single Cisco ACI Fabric

• Each VMM and associated virtual hosts are grouped within Cisco APIC

• Called VMM domain

• There is 1:1 relationship betweena virtual switch and VMM domain

VMware vCenter DVS

VMM Domain 1

VMware vCenter AVS

VMM Domain 2 VMM Domain 3

VMwarevSphere

VMwarevSphere

Microsoft System Center

Virtual Machine Manager 2012

MicrosoftSCVMM


Hypervisor Integration with Cisco ACI

• Cisco® ACI fabric implements policy on virtual networks by mapping endpoints to EPGs

• Endpoints in a virtualized environment are represented as the vNICs

• VMM applies network configuration by placement of vNICs into port groups or VM networks

• EPGs are exposed to the VMM as a 1:1 mapping to port groups or VM networks

Application Network Profile

F/W L/BEPGA

PP

APP PORT GROUP

EPG DB

DB PORT GROUP

EPG WEB

WEB PORT GROUP

VM VMVM


Cisco ACI Fabric – Integrated OverlayData Path - Encapsulation Normalization

VXLANVNID = 5789

VXLANVNID = 11348

NVGREVSID = 7456

Any to Any

802.1QVLAN 50

NormalizedEncapsulation

Localized Encapsulation

IP Fabric Using VXLAN Tagging

PayloadIPVXLANVTEP

• All traffic within the Cisco® ACI fabric is encapsulated with an extended VXLAN header

• External VLAN, VXLAN, and NVGRE tags are mapped at ingress to an internal VXLAN tag

• Forwarding is not limited to, nor constrained within, the encapsulation type or encapsulation ‘overlay’ network

• External identifies are localized to the Leaf or Leaf port (future), allowing reuse and/or translation if required

Payload

Payload

Payload

Payload

Payload

EthIP

VXLANOuter

IP

IPNVGREOuter

IP

IP802.1Q

EthIP

EthMAC

Normalization of Ingress Encapsulation


Hypervisor Integration with Cisco ACIVMM Domains and VLAN Encapsulation

• VLAN ID only gives 4000 EPGs (12 bits)

• Scale by creating pockets of 4000 EPGs

• Map EPGs to VMM domain based on scope of live migration

• Place VM anywhere

• Live migrate within VMM domain

EP

EP

EPEP

EPEP

EP

EPEP

EP

EP

EP

EPEP

VMM Domain 14000 EPGs

16 Million Virtual Networks



Hypervisor Integration with Cisco ACIVMM Domains and VLAN Encapsulation

• VLAN ID only gives 4000 EPGs (12 bits)

• Scale by creating pockets of 4000 EPGs

• Map EPGs to VMM domain based on scope of live migration

• Place VM anywhere

• Live migrate within VMM domain

EP

EP

EP

EP EP

VNID 6032

VLAN 5

VLAN 16

16 Million Virtual Networks




Hypervisor Integration with Cisco ACIEndpoint Discovery

• Virtual endpoints are discovered for reachability and policy purposes through 2 methods:

• Control-plane learning: − Out-of-band handshake: VMware vCenter

APIs− Inband handshake: OpFlex-enabled host

(AVS, Microsoft Hyper-V, etc.)

• Data-path learning: Distributed-switch learning

• LLDP used to resolve virtual host ID to attached port on leaf node (non-OpFlex Hosts)

Control (OpFlex)

DataPath

OpFlex Host

DVS Host

DataPath

VMM

Control(VMware vCenterAPI)

Microsoft System CenterVirtual Machine Manager 2012

VMware vSphare


EPG Spanning VMM Domains

The fabric normalizes VLANs, which allows reuse and efficient communication across VMM domains

VXLAN is not required to address the 4000 VLAN limitations (VXLAN is supported if desired)

An EPG can be spread across multiple VMM domains (common policy across domains)

VMM Domain 1 VMM Domain 2


Hosts

VMware vCenter

VMware vShield

Web EPG App EPG

VM VM VM VM


Hosts

VMware vCenter

VMware vShield

DB EPG App EPG

VM VMVM VMVM


VMware IntegrationThree Options

Application Virtual Switch (AVS)

• Encapsulations: VLAN, VXLAN

• Installation: VIB through VUM or Console

• VM discovery: OpFlex

• Software/Licenses: VMware vCenter with Enterprise+ License

vCenter + vShield

• Encapsulations: VLAN, VXLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: VMware vCenter with Enterprise+ License, vShield Manager with vShield License

Distributed Virtual Switch (DVS)

• Encapsulations: VLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: VMware vCenter with Enterprise+ License

VMware vSphere

+ VMwarevShield

VMwarevSphere


Microsoft Interaction with Cisco ACITwo Options

Integration with Microsoft SCVMM

• Policy management: Through Cisco® APIC

• Software and license: Microsoft Windows Server with HyperV and SCVMM


• Encapsulations: VLAN and NVGRE (future)

• Plug-in installation: Manual

Microsoft System CenterVirtual Machine Manager

Integration with Microsoft Azure Pack

• Superset of Microsoft SCVMM

• Policy management: Through Cisco APIC or Microsoft Azure Pack

• Software and license: Microsoft Windows Server with HyperV, SCVMM, and Azure Pack (free)


• Encapsulations: VLAN and NVGRE (future)

• Plug-in installation: Integrated

Windows Azure

Microsoft System CenterVirtual Machine Manager

+


OpenStack Components

Dashboard(horizon)

Identity(keystone)

Network(Neutron)

Compute(nova) Object

(swift)Block

(cinder)

Initial Focus on Networking(Neutron)

Authenticates with

provides UI for

OpenStack

Image(glance)


Tenant

Network Security GroupNetwork:External

Router

Security Group Rule

PortSubnet

Core APILayer 3 +

External Net Extension

Security Group Extension

OpenStack Neutron Networking Model


OpenStack Neutron Networking Model

Tenant

Bridge DomainContext(VRF)

App ProfileOutside Network

Subject

Subnet

Endpoint Group

Contract


Cisco OpenStack Cisco ACI ModelNeutron API Mapping

OpenStack Cisco® ACI

Tenant Tenant

No Equivalent Application Profile

Network EPG + Bridge Domain

Subnet Subnet

Security Group Handled by Host

Security Group Rule Handled by Host

Router Layer 3 Context

Network: External Layer 3 Outside


Group-Based Policy in OpenStackApproved for Juno Release

https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• Messy mapping Cisco® ACI to current OpenStack component− Endpoint groups (ports + security groups)− Contracts (security groups + security group

rules)

• Goal: Introduce Cisco ACI model into OpenStack

• Starting with groups and group-based policies





Cisco Application Policy Infrastructure Controller (APIC)


Cisco Application Policy Infrastructure ControllerCentralized Automation and Fabric Management

Layer 4 - 7System

ManagementStorage

ManagementOrchestration Management

Storage SME Server SME Network SME

Security SME App. SME OS SME

Open RESTful API

Policy-Based Provisioning

Citrix

CiscoF5 EMC

Corporation

NetAppPuppet Labs

OpsCodePython

CFEngine MicrosoftXenServer

CloudStack

OpenStack

VMware Red HatKVM

• Unified point of data center network automation and management:

− Application-centric network policies

− Data model-based declarative provisioning

− Application, topology monitoring, and troubleshooting

− Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.)

− Image management (spine and leaf)

− Fabric inventory

• Single Cisco® APIC cluster supports one million+ endpoints, 200,000+ ports, and 64,000+ tenants

• Centralized access to all fabric information - GUI, CLI, and RESTful APIs

• Extensible to computing and storage management


Cisco Application Policy Infrastructure ControllerCluster Availability

Single Point of ManagementWithout a Single Point of Failure

See What’s Inside

Cisco APIC ClusterDistributed, Synchronized, and Replicated

• Applications fully use clustered andreplicated controller (N+1, N+2, etc.)

• Any node is able to service any user for any operation

• Transparent Cisco® APIC node additions and deletions

• Fully automated Cisco APIC software cluster upgrade with redundancy during upgrade

• Cluster size based on transaction rate requirements

• Cisco APIC is not in the data path


Fabric Initialization and Maintenance

• Cisco ACI fabric supports discovery, boot, inventory, and systems maintenance processes through Cisco APIC

- Fabric discovery and addressing

- Image management

- Topology validation through wiring diagram and system checks

Cisco APIC Cluster

Topology discovery through LLDP using

Cisco® ACI specific TLVs (Cisco ACI OUI)

Loopback and VTEP IP addresses allocated from “infra

VRF” through DHCP fromCisco APIC


Cisco ACI Fabric - Managed Objects

Root

MO• class• dn• prop1• prop2• …

dMIT

Full, Unified Description of EntitiesNo Artificial Separation of Configuration, State, or Runtime Data

Everything is an object

Objects are hierarchically organized

Class identifies object type Card, port, path, EPG, etc.

Class inheritance• An access port is a subclass of the port• A leaf node is a subclass of the fabric node

Set of attributes

IdentityStatesDescriptions

ReferencesLifecycle

Distributed managed information tree (dMIT)contains comprehensive system information• Discovered components• System configuration• Operation status, including statistics and faults


Cisco ACI Fabric Managed ObjectsAuthentication, Authorization, and RBAC

Access to all managed objects is authenticated and encrypted

Every object has a unique set of RBAC read and write attributes

Cisco APIC and fabric is designed to support multitenant and multi-SME operations

Local and external AAA (TACACS+, RADIUS, and LDAP) authentication and authorization

Universe

Tenant: Pepsi

App Profile

EPGs

Layer 3 Networks

Tenant: Coke

App Profile

EPGs

Layer 3 Networks

Fabric

Switch

Line Cards

Ports


universe

Port StatsFabric1

Switch1 Switch2 Switch3

LC2LC1

Port1 PortN-1PortN

InfrastructureTenant Network Profiles, EPGs, and EPs

Network Profile Pepsi

Endpoint GroupPepsi-DB

Network Profile Coke

Shared Policies

QoS Policy

Access Policy

NetworkPepsi-Net

Layer 3 NetworkPepsiL3Net

Layer 2 NetworkPepsiL2Net

Named ref: QoS Policy

Endpoints

User: admin

Domain: all

Role: infra-admin

User: pepsi_admin

Domain: pepsi

Role: admin

User: pepsi_operations

Domain: pepsi

Roles: ep-stats, ep-events

Example: Provider AdminExample: Tenant AdminExample: Tenant Read-Only Operator


Cisco ACI Fabric Switch OS

Purpose-Built OS for Automation and Cloud

Data Management Engine (DME)

Management Information Tree and Policy Repository

Cisco APIC

RESTful API (JSON, XML)

On-Box Scripting (Python, Puppet, and CFEngine)

Switch Node

Cisco NX-OS

Switch NodeDME Object Store

Cisco NX-OS 11.0

• Rewritten object-oriented Cisco® NX-OS

− Process isolation and restart

− Patching capability (future)

− Enables automation and scale

• Processes as managed objects

− Centralized policy and configuration

− Consistent run-time policy

• Centralized image management

− Management for all nodes

− Zero-touch installation - POAP

• Third-party extensibility

− Puppet, Chef, Python, and CFEngine

Thank you.

Technology

Social Defined Networking