cisco aci® and sdn: move beyond first generation sdn with application centric infrastructure

Move beyond 1st generation SDN with Application Centric Infrastructure

Ryan Kido

Systems Engineer

SDN & ACI

[email protected] CCIE #8558

Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved.

Session Goals

2

▪  What is SDN?

▪  SDN Challenges

▪  What Cisco is doing in SDN

▪  ACI and what’s different about it

Cisco Confidential © 2014 Cisco and/or its affiliates. All rights reserved. 3

SDN?

Scale NSX

OpenFlow

ONF

Con

trolle

rs

Overlay O

rche

stra

tion

DevOps

API

RE

ST

Python

Puppet

Chef

Cen

traliz

ed

Control Plane

Clo

ud

OpenDaylight onePK

VXLAN Gateway

Applications

NFV

Commodity

Agi

lity

Pro

gram

mab

le

Ope

n S

tand

ards

ACI

OpenStack

Open

Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved.

What is SDN?"

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

What SDN is becoming…

5

SDN

mmmm… I’ll put that on ANYTHING!


This is the promise of SDN


…to “Simplify” the administra8on of the network…


…and for the network to have greater awareness of Applica8on needs


Controller

Network Elements


𝜷

𝞪

𝞪 𝜷 ! E

𝞪 𝜷 ! C

𝞪

𝜷

A B C

D E


WLC

APs

SBC / SIP Proxy

SBC / B2BUAs


Four parts to Openflow


Central Administration and Operations

point for Network Elements

Openflow Controller

Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved. Openflow Controller | Northbound API

Northbound API Integral part of Controller

“Network enabled” application can

make use of Northbound API to request services from the

network…


Openflow Device Agent

Agent runs on the network device

Agent receives

instructions from Controller

Agent programs device

tables


Openflow Protocol

Openflow Protocol is…

“A mechanism for the Openflow Controller to

communicate with Openflow Agents…”


VM1

VM2

VM3

Virtual Switch

Hypervisor"

VM4

VM5

VM6

Virtual Switch

Hypervisor"

IP Network"

CGH! SDU!

Air Traffic Control System"

Ethernet Frames"

IP/UDP Packets"

IP Addr"1.1.1.1"

IP Addr"2.2.2.2"


Logical “switch” devices overlay the

physical network

Underlying physical network carries data

traffic for overlay network

They define their own topology


Multiple “overlay” networks can co-exist

at the same time

Overlays provides logical network constructs for

different tenants (customers)


Apps

Data Plane

APIs OnePK

Control Plane


Configure/Operate Device Extension DevOps Plug-‐ins

§  Evolve programmability architecture to common Cisco data models

§  NETCONF YANG, REST and Python API

§  PCEP & BGP family protocols for SP networks

§  Deliver onePK GA on all plaRorms

§  Targeted addi8onal APIs development

§  Targeted focus on Open Flow 1.3 for SLED

§  Puppet/Chef plug-‐in – target DevOps customers

§  Open architecture – Allow partners/customers/open source developers to add new plug-‐ins and extensions

Network Programmability

Strategy


SDN Challenges

23


Centralized Controller Challenges

24

EDIT: More complete

Dealing with Failures Managing Bursts

Achieving Optimal Efficiency Managing Scale


I see smoke, but nothing’s on the

dashboard?

Physical

Overlay

Overlay

Physical

25

Overlay-Only Challenges

Reduced Visibility Difficult to Troubleshoot Security/Compliance Challenges

Network Visibility of Your Apps Today

Network Visibility of Your Apps on an Software Overlay

Why can’t I go faster? Wow, this totally

makes drivers’ licenses useless!

•  Initial deployment is slower. Must configure and deploy 2 different networks.

•  Benefits are primarily for virtual machines

•  Requires a separate, independent, stable, high bandwidth, and fully redundant fabric.


Programmability Challenges

CLI SNMP SYSLOG

Higher Level Services

Serial Ethernet PoS FC DS3

No good options in traditional APIs


How is Cisco approaching SDN?

27


Sophisticated DIY DevOps Teams

Traditional Enterprise IT

Application Providers

▪  Robust APIs ▪  Open Standards ▪  Data Models ▪  Orchestration Integration

▪  Improve Visibility ▪  Reduce Risk ▪  Speed Deployment ▪  Simplify Operations ▪  Reduce CapEx

▪  Deep Data Plane Access ▪  Well Documented APIs ▪  Linux Containers ▪  Shell Access ▪  Software Development

Kits

28

Unique Customer Demands


Unique Network Domain Restrictions

29

Data Center and/or Cloud WAN Campus

Un-Constrained Bandwidth Regular Topology

Constrained Bandwidth Un-Constrained Topology

Un-Constrained Bandwidth Semi Un-Constrained Topology

L2/L3 Overlay Network


Cisco Approach to Software Defined Networking Evolving the Network to Meet Emerging Requirements…

Preserve What’s Working Evolve for Emerging Requirements

• Resiliency • Scale • Rich Feature-Set

• Operational Simplicity • Programmability • Application Awareness

30

Evolve the Network for the Next Wave of Application Requirements


31

a

OPEN NETWORK ENVIRONMENT

Industry’s Most Comprehensive Networking Portfolio Hardware + Software Physical + Virtual Network + Compute

Platform APIs

Controllers & Agents

Virtual Overlays

Applications

www.cisco.com/go/one

Cisco’s Strategy Open Network Environment (ONE)…


SDN Projects at Cisco

32

Network Function

Virtualization

OpenStack (Neutron) onePK REST/JSON

APIs

Virtual Network Services

OpenDaylight Application

Centric Infrastructure

OPFLEX APIC-EM Monitor

Manager (Network Apps)

OpenFlow Puppet/Chef Agents

NSH - Service

Chaining LISP iWAN

Sample project list, not exclusive

EDIT: Others? Categorize? Controllers - API/Programmability


SDN Controller – Overview OK that looks really ugly but wait a minute…

… all cars

•  Four wheels •  Steering wheel •  Gas pedal •  Brake pedal

But complete different use-cases


What is Project Open Daylight?

Open Daylight is an open source project formed by industry leaders and others under the Linux Foundation with the mutual goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common vendor supported framework.

Platinum Gold Silver

Controllers


Cisco APIC Enterprise Module Architecture

Abstracts Network Devices to Mask Complexity

Treat Network as a System

Exposes Network Intelligence

For Business Innovation Cisco APIC Enterprise Module

Cisco and Third Party Applications

Network Devices Catalyst, ASR, ISR

Network Info Database

Policy Infrastructure Automation

REST API

CLI, OpenFlow, OnePK API

Security QoS Mobility

Masking Network Complexity, Exposing Network Intelligence"."

Controllers


APIC-EM

APIC EM Elastic Services SAL

REST APIs

APIC EM Services

Inventory and Topology

Identity and Location

Application Awareness

Policy Translation

QoS Visualizer

Policy Management

ZTD Visualizer

ACL Visualizer

Controller Infrastructure

CLI

Advanced Topology Visualizer

Automated Provisioning

APIC EM Applications

Analysis and Compliance

Network Infrastructure Management IWAN

APIC-EM Controller

Controllers


Simplifying Access Control List Management Flow-Based ACL Trace and Troubleshooting

ACL

Switch 1

Router 1 Router 2 Router 3

Switch 1

Router 1

Router 2


CAMPUS

Granular Control: Per User Per Application Access Policy Enforcement

SiSiSiSi

APIC-EM Controller

Block Bit-Torrent

BRANCH

Auth

entic

atio

n

ISE

Block Bit-Torrent

AD/Radius Server

§  Admin configures business policy to block application traffic on a per user/user_group basis. "

§  Controller uses identity information to install user specific access policy at the edge. "

§  If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control"

User moves to a branch site. Policy moves with it


CAMPUS


SiSiSiSi

APIC-EM Controller

Block Bit-Torrent

BRANCH

ISE AD/Radius Server


§  Important to Note:!§  Network Admin sees the network as a unit"

§  Network admin is applying the policy for the user “to the network” and NOT “to the port”"

§  Network admin doesn’t have to know which port the user is connected toà this is the job of the controller"


Easy QoS: Simplified and Centralized QoS Management - No More Individual, Box-by-Box Configuration

Config.

Cisco Validated Design- Based Templates

Con

trol

Tran

sact

ion

al D

ata

Rea

ltim

e B

est E

ffort

Cisco Validated Design {CVD}


Controlled Availability Release: Path Visualization

APIC EM Returns A Path Based on a 5 Tuple Input

•  No efficient method to troubleshoot IP voice and video sessions traversing the network on demand

•  Calls are dropped routinely and often enough to be a high problem area for many companies

•  Lack of network visibility creates large OPEX to diagnose and find problem sources (eats up lots of time and money)

•  Often takes days or weeks and trial and error to investigate and interrogate


Simplifying Access Control List Management Flow-Based ACL Trace and Troubleshooting

ACL

Switch 1

Router 1 Router 2 Router 3

Switch 1

Router 1

Router 2


CAMPUS


SiSiSiSi

APIC-EM Controller

Block Bit-Torrent

BRANCH

Auth

entic

atio

n

ISE

Block Bit-Torrent

AD/Radius Server

§  Admin configures business policy to block application traffic on a per user/user_group basis. "

§  Controller uses identity information to install user specific access policy at the edge. "

§  If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control"



CAMPUS


SiSiSiSi

APIC-EM Controller

Block Bit-Torrent

BRANCH

ISE AD/Radius Server


§  Important to Note:!§  Network Admin sees the network as a unit"

§  Network admin is applying the policy for the user “to the network” and NOT “to the port”"

§  Network admin doesn’t have to know which port the user is connected toà this is the job of the controller"


Easy QoS: Simplified and Centralized QoS Management - No More Individual, Box-by-Box Configuration

Config.

Cisco Validated Design- Based Templates

Con

trol

Tran

sact

ion

al D

ata

Rea

ltim

e B

est E

ffort

Cisco Validated Design {CVD}


Controlled Availability Release: Path Visualization

APIC EM Returns A Path Based on a 5 Tuple Input

•  No efficient method to troubleshoot IP voice and video sessions traversing the network on demand

•  Calls are dropped routinely and often enough to be a high problem area for many companies

•  Lack of network visibility creates large OPEX to diagnose and find problem sources (eats up lots of time and money)

•  Often takes days or weeks and trial and error to investigate and interrogate


System of record vs. system of change

Prime Infrastructure APIC - EM

System of Record System of Change

•  Policy definition •  Historical reporting on

events & performance •  Configuration archive •  Troubleshooting workflows •  Capacity Trending •  Predictive Analytics

•  Policy enforcement •  Discovery (for change) •  Topology (for change) •  PnP •  Network state monitoring •  Device abstraction •  Network Control

Controllers


VxLAN Deep Dive – Overlays Types of Overlay Edge Devices

•  Virtual end-points only •  Single admin domain

•  VXLAN, NVGRE, STT

Tunnel End Point

•  Physical and Virtual"•  Resiliency + Scale"•  Cross-organizations/

Federation"•  Open Standards"

Network Overlays Integrated Overlays

App

OS

App

OS

Virtual Physical

Fabric DB

VM

OS

VM

OS

Virtual Virtual

VM

OS

VM

OS

Host Overlays

Physical Physical

•  Router/switch end-points"•  Protocols for resiliency/loops"•  Traditional VPNs"•  OTV, VXLAN, VPLS, LISP"

Overlays


VXLAN Packet Structure ▪  Original L2 Frame Given a VXLAN Header with VNI

Original L2 FrameVXLAN Header

UDP header has a well known UDP destination port reserved for VXLAN

IP header has destination and source addresses of the VTEPs Outer MAC header has source VTEP MAC and next hop MAC as destination Outer MAC frame may optionally have a VLAN tag (if needed, i.e. sent over a trunk)

F C S

UDP source port is generated using a hash of the inner /IP Ethernet header à native load-sharing by Bundle/ECMP

Overlays


50

NX-API

Linux Container Linux Container

Custom App Custom App

Application Hosting Options On Box Off Box

UCS Director

Programmability


Guest Shell – What?"Guest Shell “What”"ü  Linux Container Environment"

ü  Symbiotic relationship with Network OS."

ü  Activated at boot time."

ü  Application and programmatic interface habitat."

ü  Can be resized as needed by user (via CLI)."

Guest Shell Innards"

ü  RPM package manager (yum)"

ü  Python interpreter (pip support)"

ü  onePK libraries"

ü  bootflash: access"

"

Allows users access to embedded Linux system Linux Environment

Modular

Secure Resource Isolation

Fault Isolation

Integrated Service

Programmability


Programmability Automation and Orchestration - Chef / Puppet

•  Cross-platform IT automation software leveraging declarative language to manage IT infrastructure lifecycle

•  Allows for automation of configuration or patch roll-out

Puppet Master

Puppet Agent

Programmability


REST Follows a Familiar Model"

HTTP GET

HTML

Describes how data should be displayed to please human viewer

HTTP GET

JSON/XML

Describes data in a format applications can understand

{"ids":[303776224, 19449911, 607032789, 86544242, 2506725913, 17631389], "next_cursor":0, "next_cursor_str":"0", "previous_cursor":0, "previous_cursor_str":"0"}

Web Browsing REST API

Programmability


Programmability – Interfaces Python – Scripting

•  Built in Python Shell •  Can be used to execute CLI commands and reference objects through

Python interpreter

•  Most commands can be executed to return the command output as a Python Dictionary

•  Pass arguments to Python scripts from CLI •  Integration with NX-OS Embedded Event Manager (EEM)

Programmability


Customer

TAC Engineer

ping

show ip route

show ip arp

show mac address-table

show port-channel interface

show interface

Programmability – Interfaces Python – Reduce Time-to-Resolution

Programmability


How is Cisco’s Model Different?

57


New Switches (Nexus 9000)

APIC Controller

New Virtual Switch

Partner Ecosystem (Applica1ons)

ACI


HYPERVISOR HYPERVISOR HYPERVISOR

APIC controller is the policy enabler for the ACI infrastructure


There are two models that can be used to build a controller architecture

1 2


Legacy architecture

Declarative Imperative

Next-Gen architecture


Openflow is an example of an

implementation of the imperative model

Openflow Controller S/W

App #1 App #2

O/F Agent

ASIC HW

O/F Agent

ASIC HW

App #3


Translation

Imperative is a top down approach to

managing the network


App #1 App #2

O/F Agent

ASIC HW

O/F Agent

ASIC HW

App #3


where network state is held and managed

by the controller Openflow Controller S/W

App #1 App #2

O/F Agent

ASIC HW

O/F Agent

ASIC HW

App #3

and pushed down to the network elements


… but this ultimately leads to scale

limitations for the controller as the network grows…


App #1 App #2

O/F Agent

ASIC HW

O/F Agent

ASIC HW

App #3


Hence the “Imperative” model is not optimal…


Ok, now why is the “Declarative” model better?


The Declarative model uses a bottom up

approach

APIC Controller

Switch Switch


Where the physical switches handle the

network state

APIC Controller

Switch Switch State State


That state is defined by the policies created by

the APIC controller

APIC Controller

Switch Switch Policy Policy

Policy Policy

Policy

State State


The “Declarative” model scales much better


Policy Defined Networking A Declarative Approach

72

“We suffer sometimes from the hubris of believing that control is a matter of applying sufficient force, or a sufficiently detailed set of instructions.”

Mark Burgess, “In Search of Certainty”, July 2013 ISBN-13: 978-1492389163

“Set indicator, pull clutch, switch to second gear, turn right, ...”

Declarative What - Draw a horse.

Imperative How - Pick up your pencil…

EDIT: Move to competitive comparison


ACI Fabric IP Network with an Integrated Overlay"

•  ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing ‒  All end-host (tenant) traffic within the fabric is carried through the overlay

•  Why choose an integrated overlay? ‒  Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs

‒  Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)

IP fabric with integrated

overlay

IP (VXLAN)


Why Network Provisioning is Slow The Language Barrier

75

Developer and infrastructure teams must translate between disparate languages.


ACI Policy Model: End Point Groups (EPG)

HTTP Service HTTPS Service

EPG - Web

EPGs are a grouping of end-points representing application or application components independent of other network constructs.

POLICY MODEL


▪  Relationships between objects/groups are defined by providing or consuming contracts

▪  Connectivity is ‘turned on’ by creating relationships

▪  Objects/groups can provide, consume or both

Object Relationships in Policy Defined Networking

77

Consumer provider relationships define which objects or groups can communicate and the policy requirements for that connectivity

Policy Contract

Policy Contract

Policy Contract

Users Web Farm App Servers DB Farm


ACI Layer 4 - 7 Service Chaining"

•  Elastic service insertion architecture for physical and virtual services

•  Automation of service bring-up / tear-down through programmable interface

Web Server

EPG A

Web Server

Web Server

EPG B

App Server

Chain “Security 5”

Policy Redirection

Application Admin

Service Admin

Ser

vice

G

raph

begin end Stage 1 ….. Stage N

Pro

vide

rs

inst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Ser

vice

Pro

file

“Security 5” Chain Defined


L/B APP DB F/W L/B

WEB

APIC

HYPERVISOR HYPERVISOR HYPERVISOR

CONNECTIVITY POLICY

SECURITY POLICIES QOS

STORAGE AND

COMPUTE

APPLICATION L4..7

SERVICES

SLA QoS Security Load Balancing APP PROFILE

Application Network Profiles"


Integrated Analytics

80

▪  Current Health of EVERYTHING ▪  Traffic analysis per application ▪  Identify problems early ▪  Unified Physical and Virtual

Management

EDIT: recolor


Physical Networking

Compute L4–L7 Services

Storage Hypervisors and Virtual Networking

Multi DC WAN and Cloud

The application-aware network"


Openness and Security Built In

82

Northbound Open REST APIs

Support Integration With Any Software

Southbound OpFlex: API Supports

Integration with Any Network Device

APIC

Automation Enterprise Monitoring

Systems Management

Orchestration Frameworks

OVM

Hypervisor Management Applications

Open Source

Open Standards OpFlex NSH VXLAN

Open Interfaces JSON XML OpFlex

REST

Advanced Security

"   Policy

"   RBAC

"   Encryption

"   Auditing

"   Tenant Isolation

Robust Partner Ecosystem


ACI – Policy Defined Networking Logical network provisioning of stateless hardware

83

ACI Fabric

App DB Web

Outside (Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

APIC


Cisco Services and Our Partners We Accelerate, Optimize and Sustain Success

What now?

Optimization Services Allow you to Optimize and Sustain your Advanced Technologies

Workshops Give you the FRAMEWORK to Accelerate the Adoption of Advanced Technologies

Maximize ROI Faster!

Advanced Services

Provides subject matter expertise to Design and Deploy

Advanced Technologies


In summary…

85


Why ACI?

86

▪  Agility ▪  ACI Policy enables mobility of Virtual and Physical workloads in the Data Center. This

includes Hosts and Network Services including effective service chaining on a secure, stateless fabric.

▪  Cost ▪  No VM Tax, truly multi-hypervisor ready ▪  Simple Licensing for Leaf Ports and Controller only ▪  Minimal Components to achieve Agility and Openness (Spine, Leaf, APIC)

▪  Open ▪  Published API’s enable a large Ecosystem of Orchestrators, Systems Management, and

L4-7 Services ▪  Designed with published standards and driving OpFlex as a standard to further drive

Openness across the industry

Cisco Confidential © 2013-2014 Cisco and/or its affiliates. All rights reserved. 87

Cisco SDN Strategy Three Game Changing Differentiators

1. Policy Model 2. Physical + Virtual 3. Open and Secure

• Operationally Simple • Lowest TCO • Zero-touch provisioning

• Health Metrics • Visibility / Telemetry • Troubleshooting

• Open APIs / Open Source • Advanced Security • 3rd Party Integration

Thank you.

cisco aci® and sdn: move beyond first generation sdn with application centric infrastructure

Technology

cisco andor

network cisco confidential

openflow cisco confidential

topology cisco confidential

b c d e cisco confidential

physical network

network device agent

sdn aci