思科在openstack的雲端技術創新及貢獻 如何利用cisco aci快速 … · • operational...
TRANSCRIPT
11/7/16
1
思科在OpenStack的雲端技術創新及貢獻 如何利用Cisco ACI快速部署高效能、高透明度和容易排錯的OpenStack網絡平台
July 12th, 2016 Taipei
Philip Wong, Technical Solution Architecture, Cisco Greater China
2 © 2015 Cisco and/or its affiliates. All rights reserved.
Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco Systems, and Cisco Systems will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document. All material shared during this session is presented in strict confidence and covered by any and all Non Disclosure Agreements you have with Cisco Systems Inc.
Legal Disclaimer
11/7/16
2
3 © 2015 Cisco and/or its affiliates. All rights reserved.
• Cisco’s commitment to OpenStack • A new network model for Cloud Application
Deployment • Benefits of Cisco ACI for OpenStack deployment • Technical Architecture Overview • Live Demonstration • Partner/Customer engagements
議題
4 © 2015 Cisco and/or its affiliates. All rights reserved.
Cisco’s Commitment to OpenStack
• Cisco Validated Designs for production deployments
• Work closely and jointly with customers to design and build their OpenStack environment
• OpenStack based Global Intercloud hosted across Cisco and partner data centers
• Cisco Webex Service running on OpenStack
• Automation (Puppet) and architectures (HA) for production deployment and operational support
• Neutron/Nova Plug-ins for Cisco product lines – Nexus, CSR, ACI, UCS
• Code contributions across several services – Network Compute, Dashboard, Storage
• Foundation Board member Community Participation
Engineering/ Automation
Partners/
Customers
Cloud Services
11/7/16
3
5 © 2015 Cisco and/or its affiliates. All rights reserved.
SaaS
PaaS IaaS
Applications in the Connected World
Traditional Applications
ERP, Financial, Client/Server, CRM, email, …
Cloud Native Applications
IoT, Big Data, Analytics,
Gaming, ...
Data Center Cloud Edge / IoT
5 © 2015 Cisco and/or its affiliates. All rights reserved.
6 © 2015 Cisco and/or its affiliates. All rights reserved.
What may be further enhanced with OpenStack Networking Today?
Service B Service C
Service A
• No broadcast or multicast • Resilient and fault tolerant • Scalable tiers • Built around loosely coupled services • Does not care about IP addresses
• Layer 2 and broadcast is the base API • Network, routers, and subnets • Based on existing networking models • No concept of dependency
mapping or intent
External Network Router
Network and
subnet
Network and subnet
Cloud Application Model Neutron Model
MySQL MySQL
11/7/16
4
7 © 2015 Cisco and/or its affiliates. All rights reserved. ap
p gu
y neutron
detailed abstraction
nova
detailed abstraction
cinder
detailed abstraction
swift
detailed abstraction
glance
detailed abstraction
Heat Orchestration
Domain Details
收集用戶應用需求需要轉換
轉換過程用戶的目的不免流失
User intent may be lost!
My app looks like this:
Intent
8 © 2015 Cisco and/or its affiliates. All rights reserved.
傳統的數據中⼼網絡部署
Application owners provide the network requirements of application environment
System/Network team translates the requirements into infrastructural specifications
Network architect/engineers perform configurations on the network equipment (CLI, GUI)
應用溝通需求網絡語⾔
Web界面應用程序認證系統数据库ACL,VLAN,QOS,SVI
應用速度慢——應用問題?網絡問題?——如何快速排错?
翻譯
網絡分區安全定義負載均衡
11/7/16
5
9 © 2015 Cisco and/or its affiliates. All rights reserved.
• A 100% open source, Apache-licensed
• Interface for capturing application intent, including network service requirements
• Model inspired by APIC but available for any hardware / software platform
• Networking today, plans to cover compute, storage
• Growing number of contributors and ecosystem partners
Group-Based Policy for OpenStack
Policy Rules Set Web Group
Classifier Action
FIREWALL
DB Group
Classifier Action
Service Chain
Group-Based Policy Model
10 © 2015 Cisco and/or its affiliates. All rights reserved.
Group-Based Policy Model Policy Group: Set of endpoints with the same properties. Often a tier of an application.
Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate.
Policy Classifier: Traffic filter including protocol, port and direction.
Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect”
Service Chains: Set of ordered network services between Groups.
L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter
L3 Policy: An isolated address space containing L2 Policies / Subnets
L3 Policy
Policy Rule Set
Policy Rule Policy Rule
Service Chain
Classifier Action
Classifier Action
L2 Policy
Policy Group
Policy Target
Policy Target
Policy Target
Policy Group
Policy Target
Policy Target
Policy Target
L2 Policy
provide consume
Node Node
11/7/16
6
11 © 2015 Cisco and/or its affiliates. All rights reserved.
ACI + OpenStack – With OpFlex Support Full Policy Based Network Automation Extended to the Linux Hypervisor
Group-based Policy • Open Source OpFlex agent extends ACI into Linux hypervisor • OpFlex Proxy exposes new open API in ACI fabric
• Fully distributed Neutron network functions, including NAT • Integrated, centrally managed overlay and underlay fabric • Operational visibility integrating OpenStack, Linux, and APIC • Choice of virtual network (standard Neutron ML2) or Group-
based Policy driven networking Hypervisor OVS
OpFlex for OVS
OpenStack Feature Highlights
APIC Ml2 Driver
Solutions with Major OpenStack Distributions Available Now!
OpFlex Agent
OpFlex Proxy
OpenStack Controller
12 © 2015 Cisco and/or its affiliates. All rights reserved.
Cisco ACI乃應對數據中⼼SDN的解決⽅案 結合先進開放軟體與硬體技術
Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC POLICY CONTROLLER NEXUS 9500 AND 9300
Spine 0
Spine 1
Leaf 0 Leaf 1
11/7/16
7
13 © 2015 Cisco and/or its affiliates. All rights reserved.
DC Architecture evolves towards Fabric
AVS/OVS WAN/Core Services
Spine Leaf Border Leaf Services Leaf Virtual Leaf*
AVS/OVS
AVS/OVS
• No more spanning Tree
• L3 Routing – Host Based
• High Bandwidth Multi-path enabled
• Eliminate L2 Flooding
• Facilitate Mobility VM
MP-BGP
14 © 2015 Cisco and/or its affiliates. All rights reserved.
思科ACI提供⼀個創新的Hybrid部署⽅案… A Policy Driven Network Provisioning
DB Tier
Storage Storage
Application Client
Web Tier
App Tier
Application policy model: Defines the application requirements (application network profile)
Policy instantiation: Each device dynamically instantiates the required changes based on the policies
VM VM VM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VM VM
APIC
11/7/16
8
15 © 2015 Cisco and/or its affiliates. All rights reserved.
Benefits of OpenStack on ACI
• Fully managed underlay network through APIC controller
• Ability to connect physical servers and multiple hypervisors to overlay networks
Integrated Overlay and Underlay
Distributed, Scalable Virtual Networking
• Fully distributed L2, anycast gateway, DHCP, metadata
• Distributed NAT / Floating IP
• Choice of Group Policy or Neutron API
• Support for L3 or L2 service insertion and chaining
• Device package ecosystem for 3rd party devices or Group-Based Policy service chaining
Service Chaining
Hardware Performance
• Automatic VXLAN tunnels at top-of-rack
• No wasted CPU cycles for tunneling
• Virtual network isolation is maintained even when a hypervisor is compromised
Secure Multi-tenancy
Operations and Telemetry
• Troubleshooting across physical and virtual environments
• Health scores, atomic counters, capacity planning per tenant network
16 © 2015 Cisco and/or its affiliates. All rights reserved.
Two OpenStack Plugin Options
Router
Security Group
Network
OpenStack Controller APIC ML2
Neutron API / ML2 Group-Based Policy
Plugin performs conversion from Neutron to APIC policy model
Ruleset
Policy Group
Policy Group F/W ADC
OpenStack Controller
GBP APIC Driver
Group-Based Policy
Group-Based Policy native drivers interfaces directly with APIC policy model
* Only one model is supported in a given OpenStack deployment
11/7/16
9
17 © 2015 Cisco and/or its affiliates. All rights reserved.
Available NOW: OpFlex Support
• GBP or APIC ML2 • Operations / Troubleshooting / Visibility
• Endpoint statistics, health, faults in APIC
• Hypervisor local enforcement security policies
• Security Groups (ML2 driver) via IP Tables
• GBP via OpenFlow in Open vSwitch • Distributed NAT support on each compute node
• Floating IP
• sNAT (via hypervisor host IP)
• Distributed Neutron services per compute node
• L3 / Anycast gateway, metadata, DHCP • Multiple VRF support
OpFlex Offers:
Hypervisor
vm4
Project 1 Project 2 Project 3
vm5 vm3
vm5 vm6
OpFlex Agent
OpFlex Proxy
V(X)LAN
OpenStack Controller Group-Based
Policy (optional) APIC ML2
18 © 2015 Cisco and/or its affiliates. All rights reserved.
APIC VMM Integration OpenStack
VMM Domain
Per Hypervisor / Per Group
View KVM Hypervisor Operational Data
Per EP stats, Health scores,
faults
11/7/16
10
19 © 2015 Cisco and/or its affiliates. All rights reserved.
Architecture Guide;
• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Architectural_Overview.html
Datasheets:
• http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/OpenStack-at-cisco/datasheet-c78-734181.html
• http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/OpenStack-at-cisco/datasheet-c78-732353.html
Deployment Guides:
• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Deployment_Guide_for_Red_Hat.html
• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Deployment_Guide_for_Ubuntu.html
Useful Information for Further Reading