aci operations & sikkerhed - cisco - global home page · aci integration with wan at scale...
TRANSCRIPT
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
ACI Operations &SikkerhedMikkel Brodersen & Michael PetersenSystem Engineers, Cisco Danmark
14 April 2016
Cisco Confidential 2© 2015 Cisco and/or its affiliates. All rights reserved.
Mikkel Brodersen & Michael Petersen
ACI Operations &SikkerhedSystem Engineers, Cisco Danmark
14 April 2016
Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.
ACI Status
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Status på ACI i Danmark• 11 installationer i produktion
Fuld Enterprise Cloud Suite løsning hos KMD – tidligere breakout sessionACI installation nr. 1000 hos Danske Bankhttp://blogs.cisco.com/news/danske-bank-our-1000th-cisco-aci-customer
• 100+ kunder og partnere trænetACI Test Drive - 2 dageTræningspartner kurser 2-5 dageKundetræning
• 10+ projekter undervejsHandelOffentlige datacentreKommuner
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Service udbydere / Hosting firmaer
Hurtig aktivering af ny kundeSikker og ensartet definition afinfrastrukturForlængelse af eksisterende datacenter netværk med policy kontrol
• Offentlige DatacentreTidsbesparende administrationNye applikationsmiljøerHurtig SLA respons
• Udviklingshuse / Applikationshosting
Testmiljøer etableres hurtigt og sikkertKan fjernes igen uden problemerKan simpelt ændres til produktionsmiljø
• Financielle kunderNye applikationsmiljøerHurtig SLA responsSikker aktivering af applikationer
Typiske installationer
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Hvor lang tid tager det ?
• Planlægning er nøglen – 90% planlægning, 10% implementation
• Identifikation af nytteområder(applikationer, automatisering, tidskrævende processer, fejlfri installationer)
• Lærekurven er stejl – træning inden planlægning og implementation er vigtig
• Scripting bliver vigtigt – teknikker og sprog skal læres, men er universelt anvendeligt
• Scripting erfaring findes ofte i huset hos server og applikationsgrupper
• Scripting giver meget hurtig implementation, efter kundekrav er identificeret ogmappet korrekt
…… men man kan også køre et fuldt ACI miljø fra GUI’en – og her er mange muligheder!
To uger!
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Existing Cisco Nexus 9000 Portfolio10/40G Optimized, Over 6000 Customers
36p wire rate100G 56p 40G + 8p 40/100G72p 40G 48p 10/25G SFP & 4p 100G/ 6p 40G
48p 10/25G SFP & 6p 100G 48p 10GT & 6p 100G
Nexus 9300EX
Nexus 9200
Industry First
Industry First
Industry First
Nexus 9000 Portfolio Extension1/10/25/40/50/100G
48p 10G & 4p 40GVXLAN routing option
36p 40G ACI32p 40G NX-OS
Nexus 9300
Nexus 9504 Nexus 9508 Nexus 9516
Nexus 9500
N9300 & N9500 – Same Hardware for NX-OS and ACI
36p 40/100G ACI & NX-OS
Existing ChassisDelivering on Investment Protection
Promise48p 10G & 6p 40G96p 10G & 6p 40G32p 40G
NX-OSOnly
NEW!
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
DeploymentBuilding an Initially Small ACI POD
WAN - Core
The end goal is to migrate endpoints and network services to the ACI fabric
Brownfield Network Greenfield ACI Fabric
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
IntegrationConnecting Brownfield and Greenfield Networks
WAN - Core
First step: creating a L2 connectivity path
L2 Trunk
L2
L3 Back-to-back vPC for avoiding L2 loops
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Endpoints IntegrationUse Case 1: VLAN == BD == EPG
WAN - Core
L2
L3
VLAN 10
VLAN 10
VLAN 20 VLAN 20
Map VLAN10/EPG1 and VLAN20/EPG2
EPG1App1 Web10.10.10.10
App1 Web10.10.10.11
EPG2App1 Web10.20.20.10
App1 Web10.20.20.11
BDWeb1
BDWeb2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Endpoints IntegrationUse Case 2: Single VLAN to Different EPGs
WAN - Core
L2
L3
VLAN 10 VLAN 10 VLAN 10 VLAN 10
Map VLAN10 to EPG-Outside
VLAN 10
EPG1BD
Web
App1 Web10.10.10.10 C
C
App1 Web10.10.10.10
App1 Web10.10.10.11
App1 Web10.10.10.20
App1 Web10.10.10.21 EPG2
Communication secured by ACI policy
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Default Gateway ConsiderationsExisting Design
HSRPDefault GW
Subnet 1 = VLAN 10
PP PP VMVM VMVM VMVM
ACI Fabric
Subnet 1 = EPG1
PP VMVM
L2 Bridging
Default Gateway up to this point is still deployed in the Brownfield network
ACI initially provides only L2 connectivity services
L2 path between the two networks leveraged by migrated endpoints to reach the default gateway
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
MigrationRouting between Brownfield and Greenfield
Existing Design
HSRPDefault GW
IP Subnet 2 = VLAN 30
PP PPVMVM VMVM VMVM
ACI Fabric
IP Subnet 1 = EPG1
PPVMVM VMVM
PPVMVM
L3 Routing
Routing between Brownfield and Greenfield may still be required• Handling communication to IP subnets that remain only on Brownfield (default
gateway remains on aggregation devices)• Handling communication with the WAN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
MigrationRouting between Brownfield and Greenfield
WAN - Core
L2
L3
L3 Links
EPG1 10.10.10.11
VLAN 30
10.30.30.10
Default Gateway for VLAN 30
VLAN 30 NOT carried on the vPC connection
L2
L3
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ACI Multi-Fabric Design OptionsSingle APIC Cluster/Single Domain Multiple APIC Clusters/Multiple Domains
Site 1 Site 2ACI Fabric
Stretched Fabric
ACI Fabric 2ACI Fabric 1
Dual-Fabric Connected (L2 and L3 Extension)
DB Web AppL2/L3
POD ‘A’ POD ‘B’
Web/AppDB Web/AppAPIC Cluster
MP-BGP - EVPNMP-BGP - EVPN
Multi-POD
IP NetworkSite ‘A’ Site ‘B’
MP-BGP - EVPNMP-BGP - EVPN
WebDB App
Multi-Site (Future)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ACI Multi-POD Solution Topologies
POD 1 POD n
Web/AppDB Web/AppAPIC Cluster
…
Intra-DC Two DC sites connected back2back
POD 1 POD 2
Web/AppDB Web/AppAPIC Cluster
Dark fiber/DWDM (up to 10 msec RTT)
POD 1 POD 2
POD 3
3 DC Sites
Dark fiber/DWDM (up to 10 msec RTT)
L3
40G/100G 40G/100G
10G/40G/100G40G/100G 40G/100G
40G/100G 40G/100G
40G/100G
10G/40G/100G
40G/100G
40G/100G
40G/100G
40G/100G
Multiple sites interconnected by a generic
L3 network
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ACI Integration with WAN at ScaleOverview
Web/AppDB
WANWAN
MP-BGP EVPN
VRF-1 VRF-2
L3Outwith VRF-lite
WAN connection at ACI spine
VXLAN data plane between ACI spine and WAN Routers
BGP-EVPN control plane between ACI spine and WAN routers
OpFlex for exchanging config parameters (VRF names, BGP Route-Targets, etc.)
Address both control plane and data plane scale
Consistent policy for WAN traffic at ACI leaf (both ingress and egress directions)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Web/AppDB
Web/AppDB
Single APIC Domain
Web/App
. . .
Multiple PODs
IPN
WAN routes received on the POD spines as EVPN routes and translated
to VPNv4/VPNv6 routes with the spine proxy TEP as Next-Hop
WAN Devices
MP-BGP EVPN Control Plane
WAN
Public BD subnets advertised to WAN devices with the external spine-proxy TEP as Next-Hop
Single APIC Domain
Host routes for endpoint belonging to public BD subnets
Multi-POD and WANIntra-DC Deployment – Control Plane
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Web/AppDB
Web/AppDB
IPN
Single APIC Domain
MP-BGP EVPN Control PlaneMP-BGP EVPN Control Plane
POD ‘A’ POD ‘B’
Host routes for endpoint belonging to public BD subnets in
POD ‘A’
Host routes for endpoint belonging to public BD subnets in
POD ‘B’
WAN devices inject host routes into the WAN or register them in
the LISP database
Multi-POD and WANMulti-DC Deployment – Control Plane
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 20
ACI – Lessons LearnedMichael PetersenSystems Engineer, CCIE #39836
Cisco Connect 2016
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 21
Agenda• Lessons Learned (Operations, VMM-integration)• Security (Build-in, Contracts)• Demo• Summary, Q&A
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Programmable NetworkProgrammable FabricApplication Centric Infrastructure
Integrated stack Or
A-la-carte Automation
Streamlined Workflow Management
Modern NX-OS with enhanced NX-APIs
DevOps toolset used for Network Management(Puppet, Chef, Ansible etc.)
Customer Script based Operations and Workflows
Turnkey integrated solution with security,centralized management, compliance and scale
Automated application centric-policy model with embedded security
Broad and deep ecosystem
Your next DC Fabric - Turnkey or DIY solution?
FaultFault
AccountingAccounting
PerformancePerformance
SecuritySecurity
ConfigurationConfiguration
External ToolsIntegrated
Tools
VTSCreation Expansion
Fault MgmtReporting
Connection
External Tools
Integrated Tools
Building your fabric – How to get started?
APICAPIC
APIC
Layer 2 vPC to existing network
Layer 2 vPC to existing network
Layer 3 (OSPF etc) to existing network
Layer 3 (OSPF etc) to existing network
Connect new workloads to the ACI fabric and
route out
Connect new workloads to the ACI fabric and
route out
Separate “border leafs” shown for clarity
Separate “border leafs” shown for clarity
vDS-02vDS-01vDS-01
Separate “border leafs” shown for clarity
Separate “border leafs” shown for clarity
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 24
VMM-Integration
Hypervisor Interaction with ACITwo modes of Operation
• ACI Fabric as an IP-Ethernet Transport
• Encapsulations manually allocated• Separate Policy domains for Physical
and Virtual
VLAN 10 VLAN 10 VXLAN 10000
Non-Integrated Mode
• ACI Fabric as a Policy Authority• Encapsulations Normalized and
dynamically provisioned• Integrated Policy domains across
Physical and Virtual
APP WEB DB
Integrated Mode
DB
vCenter vDS SCVMM
Relationship is formed between APIC and Virtual Machine Manager (VMM)
Multiple VMMs likely on a single ACI Fabric
Each VMM and associated Virtual hosts are grouped within APIC
Called VMM Domain
There is 1:1 relationship between a Virtual Switch and VMM Domain
VMM Domain 1
Hypervisor Integration with ACIControl Channel - VMM Domains
vCenter AVS
VMM Domain 2 VMM Domain 3
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 27
Build-in Security (Contracts)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Cisco ACI SecurityAutomated Security with Built-in Multi-tenancy
Distributed stateless firewall
Line-rate security enforcement
Open: Integrate any security device
PCI and FIPS (new)
Embedded Security
• Whitelist firewall policy model• Authenticated northbound API
(X.509)• Encrypted management plane
(TLS 1.2)
Microsegmentation
• vDS, Hyper-V, and bare-metal workloads (new)
• Intra-EPG isolation (new)• Attribute-based isolation and
quarantine
Security Automation
• Dynamic service insertion and chaining
• Security policy follows workloads• Centralized security provisioning and
visibility
Cisco ACI™Services Graph
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Segmentation for Physical and Virtual WorkloadsMicrosoft Hyper-V, VMware vDS, and Physical Workloads
Cisco ACI™ Policy Segmentation Today
IntragroupWorkload Isolation (New)
Basic Data Center Segmentation
Web
App
DB
ProdPod DMZ
Shared Services
VLAN 1 VXLAN 2
VLAN 3
Network-Centric Segmentation
Service-Level Segmentation
Web-Tier EPG
• Isolate virtual machines• Isolate bare-metal workloads
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Michael Petersen, Systems Engineer
Demo
Summary. Questions?
Thank you.