migration from classic dc network to application centric...

Migration from Classic DC Network to Application Centric Infrastructure

BRKACI-1025

Kannan Ponnuswamy,

Solution Architect,

Cisco Advanced Services

© 2014 Cisco and/or its affiliates. All rights reserved. BRKACI-1025 Cisco Public

Acronyms

3

IOS

AAA VDC

ISE STP

FTP UCS

ToR

QoS OTV

PIM

CDP

vPC

FEX

ASA

RIP TAC

BGP

VSG

CPU

ARP Network Programmability

IaaS PaaS SaaS

SECaaS

XaaS

MTIaaS

VRF

ACI


Icons and Terms

Cisco Nexus 9500 Cisco Nexus 9300

Router Load Balancer Firewall

APIC

Application Policy Infrastructure Controller

(APIC)

Storage VMware

vCenter

Nexus 5000 Nexus 7000 Nexus 2000 / FEX Nexus 1000

Virtual Machine

4


Agenda

• Application Centric Infrastructure (ACI) Overview

• Migration to ACI – Network Centric

– Hybrid Approach

– Application Centric

• Planning for the future with Nexus 9000

5


ACI Overview

6

Physical

Virtualization

Networking

APP DB POLICY WEB

HYPERVISOR HYPERVISOR HYPERVISOR

APIC Application

External Network POLICY POLICY

Polic

y D

riven

Merc

hant+


Nexus 9000 Series

Open, Flexible, & Choice

of Programmability

Modes

Per-Box

Programmability

Policy Controller,

Centralized Fabric

Programmability

1/10/40/100GE

Common Platform

Network Ops Driven, Switch

Automation

User Driven, Policy Based Fabric

Automation

APIC

7


Migration Paths to ACI

8

ACI Fabric

Current DC

Infrastructure

Classic mode • Growth – Addition

• Network refresh

ACI Integration • New environments

• Service Chaining

• Dev, Test

ACI Migration • Business drivers

• Security, Compliance, TCO,

Programmability, Operations etc.


Agenda



– Hybrid Approach



9

© 2014 Cisco and/or its affiliates. All rights reserved. BRKACI-1025 Cisco Public 10

ACI Deployment and Migration

Deployment Design and deploy

new ACI POD

Integration

Extend ACI to your existing POD

Migration Migrate workloads to

use new ACI POD

Deploying an ACI POD


ACI Fabric

ACI Fabric Initialization

12

APIC APIC APIC

ACI Fabric supports discovery, boot, inventory

and systems maintenance processes via the APIC

• Fabric Discovery and Addressing

• Image Management

• Topology validation through wiring diagram

and systems checks


Tenant

Bridge Domain One

ACI Forwarding Model

13

EPG_N EPG_1

VRF_Context_One

Bridge Domain One

EPG_N EPG_1

VRF_Context_N

192.168.1.0/24

10.10.0.0/16

Bridge Domain N

EPG_Legacy

Non-IP, L2 forwarding only

• A collection of end-points form an end-point

group(EPG). EPG associates to a BD.

• EndPoints Identified by: • Physical or Virtual Switch ports, VLAN ID, VNID

• Future - NVGRE (VSID), DNS hostname, IP address

• A Tenant refers to one or more VRFs/Contexts

• A Context/VRF is referred to by one or more

Bridge Domains (BD)

• Bridge Domains identify properties influencing

forwarding behavior. One or more subnets,

ARP handling, Multicast etc.

10.10.0.0/16


Tenant

ACI Policy Model

Application Profile

C Contracts define what an EPG exposes to other EPGs and how

Contracts are reusable for multiple EPGs and EPGs can inherit multiple contracts

C

C

EPG NFS

EPG MGMT

EPG DB EPG App EPG Web C C C

14


ACI Policy Model – What is a Contract

Allows to specify rules and policies on

groups of physical or virtual end-points

without understanding of specific

identifiers and regardless of physical

location.

…

filter action

filter action

filter action

filter action

identifier to which

actions will be

applied

L4 port ranges

TCP options

…

identifies actions to

be applied

Permit

QoS

Log

Redirect to Services …

defined bi-directionally in the “provider” centric way

C

15


No Such Thing as Enough Security

16

http://www.pcworld.com/article/2031580/mcafee-warns-of-malware-targeting-point-of-sale-systems.html

McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf

http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf


APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPGAP

P

EPG DB F/W

EPG

WEB

Application Network Profile

Create Application Policy

Web Web Web App

HYPERVISOR HYPERVISOR

VIRTUAL DISTRIBUTED SWITCH

WEB PORT GROUP

APP PORT GROUP

DB PORT GROUP

vCenter

Server

8

5

1

9 ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy (Lazy)

Create VDS 2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7 Create Port

Groups

Cisco ACI Hypervisor Integration – VMWare DVS

APIC

3

Attach Hypervisor

to VDS

4 Learn location of ESX

Host through LLDP

17


ACI Adoption Strategies

18

ACI Fabric Model New OPERATIONS Model DESIGN Model = +

New ACI Fabric Operational Model

ACI Fabric

Leverage Known

APPLICATIONS

Constructs (decoupled

from Network)

OPERATIONS DESIGN

Leverage Known

NETWORKING

Constructs OPERATIONS DESIGN

HYBRID: Leverage BOTH

APPLICATIONS &

NETWORKING

Centric Constructs

OPERATIONS DESIGN


Agenda


• Migration to ACI

–Network Centric – Hybrid Approach



19


Classic

Access Switches

APIC

Network Centric Deployment example 1 VRF + 1 VLAN

20

VLAN 10

.101

.102

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

.3 .2

Bridge Domain Blue_1

10.10.10.1/24

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 2101

.102

Policies

EPG blue_1

10.10.10.1/24

VRF Blue

•Routing

•VLAN 10

•HSRP

•Access List

•QoS etc.

Classic mode shown here for Reference ACI Fabric

.101

Tag could be VLAN ID or VNID


APIC

Classic Access

21

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

(10.10.10.1/24)

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 2101

Policies

EPG

blue_1

VLAN 11

(10.10.11.0/24)

Tag 2102

BD Blue_2

(10.10.11.1/24)

EPG

blue_2

ACI Fabric

Network Centric Deployment Example 1 VRF + 2 VLANs – Option 1

Classic mode shown here for Reference


Network Centric Configuration

22


Configuring ACI Forwarding

23

Unicast Routing: The forwarding method based on predefined forwarding criteria (IP or MAC address). The default is layer 3 forwarding (IP address)

L2 Unknown Unicast: forwarding method for unknown layer 2 destinations. The method can be flood or proxy (default)

ARP Flooding: Specifies whether ARP flooding is enabled. If flooding is disabled, unicast routing will be performed on the target IP address. Can be on or off (default)


APIC

Classic Access

24

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 2101

EPG

blue_1

VLAN 11

(10.10.11.0/24)

Tag 2102

BD Blue_2

EPG

blue_2

ACI Fabric

Network Centric Deployment Example 1 VRF + 2 VLANs – FW is the Def. GW



APIC

Classic Access

25

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

10.10.10.1/23

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 2101

Policies

EPG

blue_1

VLAN 11

(10.10.11.0/24)

What if different policies between two groups mandated separate VLANs in Classic Networks.

EPG

blue_2

Tag 2102

ACI Fabric


1. Policies are based on EPG

2. Forwarding is based on BD attributes

X



Classic Access


26

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

APIC

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

10.10.10.1/23

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 2101

Policies

VLAN 11

(10.10.11.0/24)

What if two VLANs was only due to ARP broadcast concerns.

ACI Fabric 1. Forwarding based on destination IP Address for intra and inter subnet (Default Mode)

2. Hardware based directed ARP forwarding

EPG blue_1


Network Centric ACI Integration


Direct Attach Endpoints

Hypervisor Attached Endpoints (VLAN or

VXLAN)

vSwitch

Extension of the ACI Overlay to remote AVS ACI Extended Overlay

AVS

ACI VXLAN Extended Overlay

Infrastructure VRF Extended

AVS

• ACI Policy overlay can be extended over existing IP networks

Full ACI VXLAN Switching Enabled

Hypervisor

L2 ‘or’ L3

VTEP VTEP VTEP

VTEP VTEP

VTEP

28


vSwitch

AVS AVS

VTEP VTEP VTEP

VTEP VTEP

VTEP

VM VM

10.2.4.7 10.9.3.37

VM

VM

10.2.4.32

VM

10.9.3.89

10.9.3.38

AVS VTEP

AVS VTEP

VM

10.2.4.19 10.9.3.123

VM

VM

10.2.4.74

Forwarding within the Extended Overlay Adding Remote Physical Leaf Nodes, Nexus 9000

29


vSwitch

Forwarding within the Extended Overlay Adding Remote Physical Leaf Nodes, Nexus 9000

AVS AVS

VTEP VTEP VTEP

VTEP VTEP

VTEP

• Nexus 9000 as a remote ACI Leaf

• Support for full policy based forwarding, atomic counters,

zero touch install, health scores

VM VM

10.2.4.7 10.9.3.37

VM

VM

10.2.4.32

VM

10.9.3.89

10.9.3.38

AVS VTEP

AVS VTEP

VM

10.2.4.19 10.9.3.123

VM

VM

10.2.4.74

VTEP

30


Extending ACI Policy Based Forwarding into Existing Data Center Networks (1HCY15)

N5K N3K N6K

AVS OVS

Extended ACI Fabric

AVS vSwitch

ACI Enabled

Remote N9K

1. Extend Policy Based Forwarding

2. Extend Visibility, Fault and Audit

3. Automated Device Management for extended Fabric nodes

vSwitch HyperV

31

Network Centric ACI Migration


Access

.102

Network Centric Migration Example VRF + 2 VLANs

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.1

2/3

0

APIC

1.1

.1.0

/30

BD Blue_1

Blue Tenant

and Context

External EPG

Tag 2101

Policies

EPG

blue_1

Migration

Tag 2102

BD Blue_2

10.10.11.1/24

EPG

blue_2

Layer 2 vPC Trunk

Layer 3 Routing

Static, OSPF, BGP

• STP compatibility with Classic Network

• VLAN 10 maps to BD Blue_1


• Classic Devices are still the Default Gateway

• Equally applicable to L4-7 services (FW/LB)

in the Classic Network

• Flooding enabled on ACI BDs during

migration

• Once migration completed, insert needed

services and move Default Gateway ACI BDs

L2_

Out L2_

Out

Tag could be VLAN ID or VNID.

.101

VLAN 11

(10.10.11.0/24)

33


ACI Fabric

ACI Integration and Migration

10G/40G to ACI

Layer 3

Layer 2 - 1GE

Layer 2 - 10GE

10 GE DCB

10 GE FCoE/DCB

4/8 Gb FC

34


ACI Integration and Migration

10G/40G to ACI

Layer 3

Layer 2 - 1GE

Layer 2 - 10GE

10 GE DCB

10 GE FCoE/DCB

4/8 Gb FC

ACI Fabric

L3

L2

Forwarding Flow

Migration Path

• Default Gateway moves to ACI Leaf layer

• EPG = VLAN / Subnet (initial step)

• Host / FEX can migrate to Leaf (overtime)

35


Many Migration Options

36

Option 1:

Migrate FEX to

9300 Option 2:

Migrate 5500 +

FEX to 9300 Option 3: Interconnect

existing POD to Fabric

Phase 1: Layer 2 Existing

Network/Local Switching

AVS

AVS

Op

Fle

x

Op

Fle

x

36


Agenda



–Network Centric

–Hybrid Approach – Application Centric


37


Access

AppThree’s

WebServer AppTwo’s

WebServer

AppOne’s

WebServer

Deployment Example – Hybrid Approach

38

VLAN 10 (10.10.10.0/24)

APIC

.3 .2

Blue Tenant

and Context

External

EPG

Exchange

Routes (Blue)

Policies

AppOne’s

WebServer

AppTwo’s

WebServer

AppThree’s

WebServer

External Network

External Network

VLAN 11

(10.10.11.0/24 Tag 2011

EPG 11

BD Blue_1

10.10.10.1/24

BD Blue_2

10.10.11.1/24

EPG

One-web EPG

Two-web

EPG

Three-web

Tag 101

Tag 102

Tag 100


38

Hybrid (Network and Application Centric) ACI Migration


Access

AppTwo’s

WebServer

AppThree’s

WebServer

ACI Migration for Hybrid Approach

APIC

Blue Tenant

and Context

External

EPG

Exchange

Routes (Blue)

Policies

VLAN 11

(10.10.11.0/24 Tag 2011

EPG 11

BD Blue_1

BD Blue_2

EPG

One-web EPG

Two-web

EPG

Three-web

Tag 101

Tag 102

Classic L2 Extension.

• STP compatibility with Classic Network



• Classic Devices are still the Default

Gateway

• Flooding enabled on ACI BDs during

migration

• Equally applicable to L4-7 services

(FW/LB) in the Classic Network

• Once migration completed, insert

needed services and move Default

Gateway ACI BDs

AppOne’s

WebServer

VLAN 10 (10.10.10.0/24)

Tag 100

40 40


Virtual Environment Migration Example

L3

L2

N5500 N5500

N7K N7K ACI Fabric

VMware vSwitch, DVS, N1kV

L3 L3

L3 L3

“APIC Created” VMware DVS / Cisco AVS

vCenter

vShield

L2 L2 L2 L2

vMotion / Cold Migration

“APIC Created” VMware DVS / Cisco AVS

41


ACI Virtual Migration Assistant

• User and Workflow driven

• Multiple scenarios

• vSwitch ACI

• DVS ACI

• N1kv ACI

• Any Combination ACI

Cisco Advanced Services

42


Agenda



–Network Centric

–Hybrid Approach

–Application Centric


43


Application Centric Migration Building the Application Profile – an Example

Oracle Internet Expenses

44


C Intranet EPG

@ Border Leaf

C

Other

Applications

TCP: *,443


Active

Directory

C

45


Intranet EPG

@ Border Leaf

C

C

Expenses EPG

Extranet EPG

@ Border Leaf

Oracle

RAC DB

C

C


C

46


ACI Introduction L3

L2 Spine

Leaf

ACI Deployments for Known Application Profiles

N7K N7K

N9K N9K

N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300

Integrated L4-L7 Services

Physical & Virtual

V

Internet WAN / DCI ACI POD for Greenfield or well understood applications

47


Defining Profiles for Applications in Use

Common Customer Challenges

• Lack of confidence on existing information • CMDB, Single Source of Truth (SSOT), IPAM etc.

• Not knowing End-Point (EP) details • Identification

• In-use vs decommissioned

• Unsure on App ↔ Host association

• List of L4 ports: Client or Server

• EPs classification and Application grouping assignment • Customer needs guidance

• Application End Point Groups and associated policies

48


Application Network Profile Discovery Unknown Application Network Profiles

49

Web Tier

FW

LB

APP 1 DB 1 F/W

LB

WEB 1

FW

LB

APP 3 DB 3 F/W

LB

WEB 3

FW

LB

APP 2 DB 2 F/W

LB

WEB 2

App Tier DB Tier

F/W

LB FW

LB


ACI Deployment Assistant (Pre Migration)

Network Discovery: • Device

Configurations

• Protocol State

• Traffic Capture

Server Discovery: • Servers

• Process

• Network Stats

Application Dependency Analysis • Network and Server data

correlation

• Application fingerprinting

• Customer input

HYPERVISOR HYPERVISOR HYPERVISOR

APIC

• Comprehensive Application Dependencies

• Multiple Application Network Policies

• Application, Server Mapping

• Automate Physical, Virtual Migration Cisco Advanced Services

53


ACI Migration Summary

54

• ACI designed from the ground-up to be Application Centric

• Flexible and customizable to fit your business needs

• A phased approach: Grow, Integrate, Migrate

• Solution flexible to be Network Centric, Application Centric or a Hybrid approach


Agenda



– Hybrid Approach



55


Classic Mode Adoption – Nexus 9000 Series

56

vPC

N9500

N5K

N2K

Layer 3

Layer 2

vPC

vPC

N7K

N9300

VM

#4

VM

#3

VM

#2

Layer 3

Layer 2

New access POD or Catalyst Replacement

Aggregation Catalyst Replacement

VM

#4

VM

#3

VM

#2

N2K

New Aggregation, Access POD

vPC

VM

#4

VM

#3

VM

#2

N2K

vPC

vPC vPC

N9500

N9300

Layer 3

Layer 2 C6500

56


Classic Mode Adoption - VxLAN on Nexus 9000 Series

VXLAN Overlay

Workload mobility

L2 Multipathing

VXLAN Gateway (VXLAN to VLAN)

VXLAN Bridging (VXLAN to VXLAN at L2)

VXLAN Routing

Routing between VXLANs and VLAN to VXLAN

Anycast Gateway for vPC setup

57


Classic Mode Tools for Nexus 9000 Series

58

On CCO: Catalyst 6500/4500 IOS to Nexus 9000 NX-OS Configuration Converter


Open Source for Nexus 9000 Series

• Community contributed code and samples

• Sample scripts for automation, operations and

general use

• Python Modules to aid in rapid development

• For custom use cases, development could be

done by your in-house team

https://github.com/datacenter/nexus9000/tree/master/nx-os

Cisco Advanced Services 59




© 2014 Cisco and/or its affiliates. All rights reserved. BRKACI-1025 Cisco Public 60

Nexus Deployment and Migration Assistant

Deployment Design and deploy new Nexus POD

Integration

Extend L2, L3 to new Nexus POD

Migration Migrate ports to use

new Nexus POD

60


Nexus Deployment Assistant

POD builder questionnaire

• Select technology you would like to deploy

• Select aggregation, access devices, line cards

• Select connectivity requirements

• Select protocol settings and other configuration

Cisco AS

Best

Practices

61


Nexus Deployment and Migration Tool

62

Nexus Deployment Assistant + Selective Catalyst IOS to Nexus 9000 config migration

Current Device Module Selected Interfaces

Access Switch #1 WS-X6548-GE-TX GigabitEthernet1/1

GigabitEthernet1/2

GigabitEthernet1/3

GigabitEthernet1/4

Access Switch #2 WS-X6748-GE-TX GigabitEthernet3/1

GigabitEthernet3/2

GigabitEthernet3/3

GigabitEthernet3/4

Target

Device Module

Target

Interfaces

vPC Pair

NewAccess1

NewAccess2

N9K-X9564TX Ethernet1/1

Ethernet1/2

Ethernet1/3

Ethernet1/4


Nexus Deployment and Migration Tool

63

• Automate Nexus 9000 deployment and configuration

• Catalyst and Nexus 9000 integration and end device migration

• Migrate any Catalyst 6500 topology to any Nexus 9000 topology

Deployment Assistant

Catalyst Environments

Si Si Si Si

Si Si Si Si

Si Si Si Si

VSS

Si Si Si Si

Nexus Deployment

Cisco AS

Best

Practices

Cisco Advanced Services 63


ACI Migration Summary

64

• ACI designed from the ground-up to be Application Centric

• Flexible and customizable to fit your business needs

• A phased approach: Grow, Integrate, Migrate

• Solution flexible to be Network Centric, Application Centric or a Hybrid approach

Thank You!!


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

65

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

66

migration from classic dc network to application centric...

Documents