cisco aci® and sdn: move beyond first generation sdn with application centric infrastructure
TRANSCRIPT
Move beyond 1st generation SDN with Application Centric Infrastructure
Ryan Kido
Systems Engineer
SDN & ACI
[email protected] CCIE #8558
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
Session Goals
2
▪ What is SDN?
▪ SDN Challenges
▪ What Cisco is doing in SDN
▪ ACI and what’s different about it
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved. 3
SDN?
Scale NSX
OpenFlow
ONF
Con
trolle
rs
Overlay O
rche
stra
tion
DevOps
API
RE
ST
Python
Puppet
Chef
Cen
traliz
ed
Control Plane
Clo
ud
OpenDaylight onePK
VXLAN Gateway
Applications
NFV
Commodity
Agi
lity
Pro
gram
mab
le
Ope
n S
tand
ards
ACI
OpenStack
Open
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is SDN?"
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What SDN is becoming…
5
SDN
mmmm… I’ll put that on ANYTHING!
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
This is the promise of SDN
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
…to “Simplify” the administra8on of the network…
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
…and for the network to have greater awareness of Applica8on needs
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Controller
Network Elements
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
𝜷
𝞪
𝞪 𝜷 ! E
𝞪 𝜷 ! C
𝞪
𝜷
A B C
D E
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
WLC
APs
SBC / SIP Proxy
SBC / B2BUAs
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Four parts to Openflow
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Central Administration and Operations
point for Network Elements
Openflow Controller
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved. Openflow Controller | Northbound API
Northbound API Integral part of Controller
“Network enabled” application can
make use of Northbound API to request services from the
network…
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Openflow Device Agent
Agent runs on the network device
Agent receives
instructions from Controller
Agent programs device
tables
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Openflow Protocol
Openflow Protocol is…
“A mechanism for the Openflow Controller to
communicate with Openflow Agents…”
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VM1
VM2
VM3
Virtual Switch
Hypervisor"
VM4
VM5
VM6
Virtual Switch
Hypervisor"
IP Network"
CGH! SDU!
Air Traffic Control System"
Ethernet Frames"
IP/UDP Packets"
IP Addr"1.1.1.1"
IP Addr"2.2.2.2"
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Logical “switch” devices overlay the
physical network
Underlying physical network carries data
traffic for overlay network
They define their own topology
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multiple “overlay” networks can co-exist
at the same time
Overlays provides logical network constructs for
different tenants (customers)
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Apps
Data Plane
APIs OnePK
Control Plane
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Configure/Operate Device Extension DevOps Plug-‐ins
§ Evolve programmability architecture to common Cisco data models
§ NETCONF YANG, REST and Python API
§ PCEP & BGP family protocols for SP networks
§ Deliver onePK GA on all plaRorms
§ Targeted addi8onal APIs development
§ Targeted focus on Open Flow 1.3 for SLED
§ Puppet/Chef plug-‐in – target DevOps customers
§ Open architecture – Allow partners/customers/open source developers to add new plug-‐ins and extensions
Network Programmability
Strategy
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
SDN Challenges
23
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Centralized Controller Challenges
24
EDIT: More complete
Dealing with Failures Managing Bursts
Achieving Optimal Efficiency Managing Scale
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
I see smoke, but nothing’s on the
dashboard?
Physical
Overlay
Overlay
Physical
25
Overlay-Only Challenges
Reduced Visibility Difficult to Troubleshoot Security/Compliance Challenges
Network Visibility of Your Apps Today
Network Visibility of Your Apps on an Software Overlay
Why can’t I go faster? Wow, this totally
makes drivers’ licenses useless!
• Initial deployment is slower. Must configure and deploy 2 different networks.
• Benefits are primarily for virtual machines
• Requires a separate, independent, stable, high bandwidth, and fully redundant fabric.
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Programmability Challenges
CLI SNMP SYSLOG
Higher Level Services
Serial Ethernet PoS FC DS3
No good options in traditional APIs
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
How is Cisco approaching SDN?
27
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sophisticated DIY DevOps Teams
Traditional Enterprise IT
Application Providers
▪ Robust APIs ▪ Open Standards ▪ Data Models ▪ Orchestration Integration
▪ Improve Visibility ▪ Reduce Risk ▪ Speed Deployment ▪ Simplify Operations ▪ Reduce CapEx
▪ Deep Data Plane Access ▪ Well Documented APIs ▪ Linux Containers ▪ Shell Access ▪ Software Development
Kits
28
Unique Customer Demands
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unique Network Domain Restrictions
29
Data Center and/or Cloud WAN Campus
Un-Constrained Bandwidth Regular Topology
Constrained Bandwidth Un-Constrained Topology
Un-Constrained Bandwidth Semi Un-Constrained Topology
L2/L3 Overlay Network
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Approach to Software Defined Networking Evolving the Network to Meet Emerging Requirements…
Preserve What’s Working Evolve for Emerging Requirements
• Resiliency • Scale • Rich Feature-Set
• Operational Simplicity • Programmability • Application Awareness
30
Evolve the Network for the Next Wave of Application Requirements
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
31
a
OPEN NETWORK ENVIRONMENT
Industry’s Most Comprehensive Networking Portfolio Hardware + Software Physical + Virtual Network + Compute
Platform APIs
Controllers & Agents
Virtual Overlays
Applications
www.cisco.com/go/one
Cisco’s Strategy Open Network Environment (ONE)…
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDN Projects at Cisco
32
Network Function
Virtualization
OpenStack (Neutron) onePK REST/JSON
APIs
Virtual Network Services
OpenDaylight Application
Centric Infrastructure
OPFLEX APIC-EM Monitor
Manager (Network Apps)
OpenFlow Puppet/Chef Agents
NSH - Service
Chaining LISP iWAN
Sample project list, not exclusive
EDIT: Others? Categorize? Controllers - API/Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SDN Controller – Overview OK that looks really ugly but wait a minute…
… all cars
• Four wheels • Steering wheel • Gas pedal • Brake pedal
But complete different use-cases
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is Project Open Daylight?
Open Daylight is an open source project formed by industry leaders and others under the Linux Foundation with the mutual goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common vendor supported framework.
Platinum Gold Silver
Controllers
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
CLI, OpenFlow, OnePK API
Security QoS Mobility
Masking Network Complexity, Exposing Network Intelligence"."
Controllers
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
APIC-EM
APIC EM Elastic Services SAL
REST APIs
APIC EM Services
Inventory and Topology
Identity and Location
Application Awareness
Policy Translation
QoS Visualizer
Policy Management
ZTD Visualizer
ACL Visualizer
Controller Infrastructure
CLI
Advanced Topology Visualizer
Automated Provisioning
APIC EM Applications
Analysis and Compliance
Network Infrastructure Management IWAN
APIC-EM Controller
Controllers
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simplifying Access Control List Management Flow-Based ACL Trace and Troubleshooting
ACL
Switch 1
Router 1 Router 2 Router 3
Switch 1
Router 1
Router 2
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CAMPUS
Granular Control: Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM Controller
Block Bit-Torrent
BRANCH
Auth
entic
atio
n
ISE
Block Bit-Torrent
AD/Radius Server
§ Admin configures business policy to block application traffic on a per user/user_group basis. "
§ Controller uses identity information to install user specific access policy at the edge. "
§ If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control"
User moves to a branch site. Policy moves with it
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CAMPUS
Granular Control: Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM Controller
Block Bit-Torrent
BRANCH
ISE AD/Radius Server
User moves to a branch site. Policy moves with it
§ Important to Note:!§ Network Admin sees the network as a unit"
§ Network admin is applying the policy for the user “to the network” and NOT “to the port”"
§ Network admin doesn’t have to know which port the user is connected toà this is the job of the controller"
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy QoS: Simplified and Centralized QoS Management - No More Individual, Box-by-Box Configuration
Config.
Cisco Validated Design- Based Templates
Con
trol
Tran
sact
ion
al D
ata
Rea
ltim
e B
est E
ffort
Cisco Validated Design {CVD}
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Controlled Availability Release: Path Visualization
APIC EM Returns A Path Based on a 5 Tuple Input
• No efficient method to troubleshoot IP voice and video sessions traversing the network on demand
• Calls are dropped routinely and often enough to be a high problem area for many companies
• Lack of network visibility creates large OPEX to diagnose and find problem sources (eats up lots of time and money)
• Often takes days or weeks and trial and error to investigate and interrogate
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simplifying Access Control List Management Flow-Based ACL Trace and Troubleshooting
ACL
Switch 1
Router 1 Router 2 Router 3
Switch 1
Router 1
Router 2
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CAMPUS
Granular Control: Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM Controller
Block Bit-Torrent
BRANCH
Auth
entic
atio
n
ISE
Block Bit-Torrent
AD/Radius Server
§ Admin configures business policy to block application traffic on a per user/user_group basis. "
§ Controller uses identity information to install user specific access policy at the edge. "
§ If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control"
User moves to a branch site. Policy moves with it
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CAMPUS
Granular Control: Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM Controller
Block Bit-Torrent
BRANCH
ISE AD/Radius Server
User moves to a branch site. Policy moves with it
§ Important to Note:!§ Network Admin sees the network as a unit"
§ Network admin is applying the policy for the user “to the network” and NOT “to the port”"
§ Network admin doesn’t have to know which port the user is connected toà this is the job of the controller"
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy QoS: Simplified and Centralized QoS Management - No More Individual, Box-by-Box Configuration
Config.
Cisco Validated Design- Based Templates
Con
trol
Tran
sact
ion
al D
ata
Rea
ltim
e B
est E
ffort
Cisco Validated Design {CVD}
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Controlled Availability Release: Path Visualization
APIC EM Returns A Path Based on a 5 Tuple Input
• No efficient method to troubleshoot IP voice and video sessions traversing the network on demand
• Calls are dropped routinely and often enough to be a high problem area for many companies
• Lack of network visibility creates large OPEX to diagnose and find problem sources (eats up lots of time and money)
• Often takes days or weeks and trial and error to investigate and interrogate
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
System of record vs. system of change
Prime Infrastructure APIC - EM
System of Record System of Change
• Policy definition • Historical reporting on
events & performance • Configuration archive • Troubleshooting workflows • Capacity Trending • Predictive Analytics
• Policy enforcement • Discovery (for change) • Topology (for change) • PnP • Network state monitoring • Device abstraction • Network Control
Controllers
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VxLAN Deep Dive – Overlays Types of Overlay Edge Devices
• Virtual end-points only • Single admin domain
• VXLAN, NVGRE, STT
Tunnel End Point
• Physical and Virtual"• Resiliency + Scale"• Cross-organizations/
Federation"• Open Standards"
Network Overlays Integrated Overlays
App
OS
App
OS
Virtual Physical
Fabric DB
VM
OS
VM
OS
Virtual Virtual
VM
OS
VM
OS
Host Overlays
Physical Physical
• Router/switch end-points"• Protocols for resiliency/loops"• Traditional VPNs"• OTV, VXLAN, VPLS, LISP"
Overlays
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VXLAN Packet Structure ▪ Original L2 Frame Given a VXLAN Header with VNI
Original L2 FrameVXLAN Header
UDP header has a well known UDP destination port reserved for VXLAN
IP header has destination and source addresses of the VTEPs Outer MAC header has source VTEP MAC and next hop MAC as destination Outer MAC frame may optionally have a VLAN tag (if needed, i.e. sent over a trunk)
F C S
UDP source port is generated using a hash of the inner /IP Ethernet header à native load-sharing by Bundle/ECMP
Overlays
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
50
NX-API
Linux Container Linux Container
Custom App Custom App
Application Hosting Options On Box Off Box
UCS Director
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Shell – What?"Guest Shell “What”"ü Linux Container Environment"
ü Symbiotic relationship with Network OS."
ü Activated at boot time."
ü Application and programmatic interface habitat."
ü Can be resized as needed by user (via CLI)."
Guest Shell Innards"
ü RPM package manager (yum)"
ü Python interpreter (pip support)"
ü onePK libraries"
ü bootflash: access"
"
Allows users access to embedded Linux system Linux Environment
Modular
Secure Resource Isolation
Fault Isolation
Integrated Service
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Programmability Automation and Orchestration - Chef / Puppet
• Cross-platform IT automation software leveraging declarative language to manage IT infrastructure lifecycle
• Allows for automation of configuration or patch roll-out
Puppet Master
Puppet Agent
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
REST Follows a Familiar Model"
HTTP GET
HTML
Describes how data should be displayed to please human viewer
HTTP GET
JSON/XML
Describes data in a format applications can understand
{"ids":[303776224, 19449911, 607032789, 86544242, 2506725913, 17631389], "next_cursor":0, "next_cursor_str":"0", "previous_cursor":0, "previous_cursor_str":"0"}
Web Browsing REST API
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Programmability – Interfaces Python – Scripting
• Built in Python Shell • Can be used to execute CLI commands and reference objects through
Python interpreter
• Most commands can be executed to return the command output as a Python Dictionary
• Pass arguments to Python scripts from CLI • Integration with NX-OS Embedded Event Manager (EEM)
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer
TAC Engineer
ping
show ip route
show ip arp
show mac address-table
show port-channel interface
show interface
Programmability – Interfaces Python – Reduce Time-to-Resolution
Programmability
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer
TAC Engineer
INSIEME# detailson 192.168.208.2! ! Details for IP Address: 192.168.208.2! !+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+!| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |!+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+!| 192.168.208.2 | 0.00% packet loss | 10.1.1.1, ospf-1 | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |!| | 0.494/3.455/15.219 ms | | | | | 0 output errors | Eth1/2(P) |!+---------------+-----------------------+------------------+----------------+--------+--------+-----------------+------------+! ! ! Enter Next IP to get details on (Press 0 to exit): 10.1.1.1! ! Details for IP Address: 10.1.1.1! !+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+!| IP Address | Ping Result | Next Hop | MAC | L3 Int | L2 Int | Errors | Po Members |!+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+!| 10.1.1.1 | 0.00% packet loss | attached | 30f7.0d9f.8801 | Po1 | Po1 | 0 input error | Eth1/1(P), |!| | 0.578/0.67/0.945 ms | | | | | 0 output errors | Eth1/2(P) |!+------------+---------------------+----------+----------------+--------+--------+-----------------+------------+! ! ! Enter Next IP to get details on (Press 0 to exit):!
Programmability – Interfaces Python – Reduce Time-to-Resolution
Programmability
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
How is Cisco’s Model Different?
57
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New Switches (Nexus 9000)
APIC Controller
New Virtual Switch
Partner Ecosystem (Applica1ons)
ACI
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
HYPERVISOR HYPERVISOR HYPERVISOR
APIC controller is the policy enabler for the ACI infrastructure
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
There are two models that can be used to build a controller architecture
1 2
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Legacy architecture
Declarative Imperative
Next-Gen architecture
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Openflow is an example of an
implementation of the imperative model
Openflow Controller S/W
App #1 App #2
O/F Agent
ASIC HW
O/F Agent
ASIC HW
App #3
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Translation
Imperative is a top down approach to
managing the network
Openflow Controller S/W
App #1 App #2
O/F Agent
ASIC HW
O/F Agent
ASIC HW
App #3
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
where network state is held and managed
by the controller Openflow Controller S/W
App #1 App #2
O/F Agent
ASIC HW
O/F Agent
ASIC HW
App #3
and pushed down to the network elements
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
… but this ultimately leads to scale
limitations for the controller as the network grows…
Openflow Controller S/W
App #1 App #2
O/F Agent
ASIC HW
O/F Agent
ASIC HW
App #3
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Hence the “Imperative” model is not optimal…
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Ok, now why is the “Declarative” model better?
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Declarative model uses a bottom up
approach
APIC Controller
Switch Switch
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Where the physical switches handle the
network state
APIC Controller
Switch Switch State State
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
That state is defined by the policies created by
the APIC controller
APIC Controller
Switch Switch Policy Policy
Policy Policy
Policy
State State
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The “Declarative” model scales much better
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Defined Networking A Declarative Approach
72
“We suffer sometimes from the hubris of believing that control is a matter of applying sufficient force, or a sufficiently detailed set of instructions.”
Mark Burgess, “In Search of Certainty”, July 2013 ISBN-13: 978-1492389163
“Set indicator, pull clutch, switch to second gear, turn right, ...”
Declarative What - Draw a horse.
Imperative How - Pick up your pencil…
EDIT: Move to competitive comparison
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI Fabric IP Network with an Integrated Overlay"
• ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing ‒ All end-host (tenant) traffic within the fabric is carried through the overlay
• Why choose an integrated overlay? ‒ Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs
‒ Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)
IP fabric with integrated
overlay
IP (VXLAN)
Cisco Confidential"© 2013-2014 Cisco and/or its affiliates. All rights reserved."74"
Complex application architectures"
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Network Provisioning is Slow The Language Barrier
75
Developer and infrastructure teams must translate between disparate languages.
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI Policy Model: End Point Groups (EPG)
HTTP Service HTTPS Service
EPG - Web
EPGs are a grouping of end-points representing application or application components independent of other network constructs.
POLICY MODEL
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
▪ Relationships between objects/groups are defined by providing or consuming contracts
▪ Connectivity is ‘turned on’ by creating relationships
▪ Objects/groups can provide, consume or both
Object Relationships in Policy Defined Networking
77
Consumer provider relationships define which objects or groups can communicate and the policy requirements for that connectivity
Policy Contract
Policy Contract
Policy Contract
Users Web Farm App Servers DB Farm
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI Layer 4 - 7 Service Chaining"
• Elastic service insertion architecture for physical and virtual services
• Automation of service bring-up / tear-down through programmable interface
Web Server
EPG A
Web Server
Web Server
EPG B
App Server
Chain “Security 5”
Policy Redirection
Application Admin
Service Admin
Ser
vice
G
raph
begin end Stage 1 ….. Stage N
Pro
vide
rs
inst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Ser
vice
Pro
file
“Security 5” Chain Defined
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
L/B APP DB F/W L/B
WEB
APIC
HYPERVISOR HYPERVISOR HYPERVISOR
CONNECTIVITY POLICY
SECURITY POLICIES QOS
STORAGE AND
COMPUTE
APPLICATION L4..7
SERVICES
SLA QoS Security Load Balancing APP PROFILE
Application Network Profiles"
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
Integrated Analytics
80
▪ Current Health of EVERYTHING ▪ Traffic analysis per application ▪ Identify problems early ▪ Unified Physical and Virtual
Management
EDIT: recolor
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Physical Networking
Compute L4–L7 Services
Storage Hypervisors and Virtual Networking
Multi DC WAN and Cloud
The application-aware network"
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Openness and Security Built In
82
Northbound Open REST APIs
Support Integration With Any Software
Southbound OpFlex: API Supports
Integration with Any Network Device
APIC
Automation Enterprise Monitoring
Systems Management
Orchestration Frameworks
OVM
Hypervisor Management Applications
Open Source
Open Standards OpFlex NSH VXLAN
Open Interfaces JSON XML OpFlex
REST
Advanced Security
" Policy
" RBAC
" Encryption
" Auditing
" Tenant Isolation
Robust Partner Ecosystem
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI – Policy Defined Networking Logical network provisioning of stateless hardware
83
ACI Fabric
App DB Web
Outside (Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
APIC
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Services and Our Partners We Accelerate, Optimize and Sustain Success
What now?
Optimization Services Allow you to Optimize and Sustain your Advanced Technologies
Workshops Give you the FRAMEWORK to Accelerate the Adoption of Advanced Technologies
Maximize ROI Faster!
Advanced Services
Provides subject matter expertise to Design and Deploy
Advanced Technologies
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
In summary…
85
Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.
Why ACI?
86
▪ Agility ▪ ACI Policy enables mobility of Virtual and Physical workloads in the Data Center. This
includes Hosts and Network Services including effective service chaining on a secure, stateless fabric.
▪ Cost ▪ No VM Tax, truly multi-hypervisor ready ▪ Simple Licensing for Leaf Ports and Controller only ▪ Minimal Components to achieve Agility and Openness (Spine, Leaf, APIC)
▪ Open ▪ Published API’s enable a large Ecosystem of Orchestrators, Systems Management, and
L4-7 Services ▪ Designed with published standards and driving OpFlex as a standard to further drive
Openness across the industry
Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved. 87
Cisco SDN Strategy Three Game Changing Differentiators
1. Policy Model 2. Physical + Virtual 3. Open and Secure
• Operationally Simple • Lowest TCO • Zero-touch provisioning
• Health Metrics • Visibility / Telemetry • Troubleshooting
• Open APIs / Open Source • Advanced Security • 3rd Party Integration
Thank you.