n9k / application centric infrastructure

N9K / Application Centric Infrastructure

Anand Louis

Product Management – N9K/ACI

May 2016

2

© 2013-2014 Cisco and/or its affiliates. All rights reserved.

DATA CENTER TRANSITIONS – ROAD TO ACI/NEXUS 9K

VM Density and Server I/0

10G/25G LAN on

Motherboard2

Big Data

IP Traffic 25%

CAGR4

“Bare Metal”

30-40% physical

servers1

Multi-Cloud

~45% of DC

Multi-Hypervisor3

1. Morgan Stanley CIO Survey, 2013 2. HP 3. Information Week 2013 Virtualization Mgmt Survey, 2013 4. Cisco Global Cloud Index Forecast (2013-2017)

Lower TCO | Workload Flexibility | Agility | Compliance/Security

Cisco’s Approach to SDN Providing Choice with Automation and Programmability

Cisco ACI Programmable Network Programmable Fabric

VxLAN-BGP EVPN standard-based

Segment Routing with BGP

3rd party controller support

Cisco’s VTS / Nexus Fabric Manager for overlay

provisioning

Turnkey integrated solution

Embedded security, centralized management, and

scale

Automated application centric-policy model

Broad and deep ecosystem

Modern NX-OS with enhanced NX-APIs

Automation Ecosystem (Puppet, Chef, Ansible, etc.)

Common NX-API across N2K-N9K

DB DB

Web Web App Web App

Momentum Continues to Grow

6,000+ 50 1400+ Nexus 9K and ACI Customers Globally

Ecosystem Partners

ACI Customers

NEW ECOSYSTEM

ACI Overview

Cisco Confidential 7

8


DATA CENTER TRANSFORMATION RESPONSE: BECOME APPLICATION CENTRIC

•

•

•

•

•

•

•

•

•

9


DB APP ADC WEB f/w

ADC

Physical Networking L4–L7 Services

Multi DC WAN and Cloud

Compute Storage Hypervisors and Virtual Networking

APIC

APPLICATION CENTRIC POLICY MODEL

Network Automation

10


Subject Matter Expert Define Policies

1

SYSTEMS APPROACH:

Rapid Deployment of Applications with Scale, Security and Full Visibility

Network SME

Security SME

Application SME

APIC

2

Policies Used To Create Application Network Profile Templates

3 Automated policy configuration across the infrastructure

Life cycle management for day 1, day 2 operations

4

Physical Networking

Compute L4–L7 Services

Storage Hypervisors and Virtual Networking

Multi DC WAN and Cloud

Nexus 2K

Nexus 7K

Integrated

WAN Edge

APPLICATION CENTRIC POLICY MODEL: BUILDING ON TRANSFORMATIVE APPROACH OF UCS

11


DB APP ADC

WEB F/W

ADC

ESX

MGMT VMOTION

Bare

Metal

Linux

Container

ACI integrated security - open, flexible, policy-driven

VLAN = EPG

Application granularity

APPLICATION CENTRIC POLICY MODEL: SECURITY & MICRO-SEGMENTATION

12


PHYSICAL & VIRTUAL AGILITY

APP MOBILITY APP VISIBILITY

Latency

Health

Score

Isolation

Systems

Telemetry 25 Packets

dropped

Latency

Health

Score

Isolation

Systems

Telemetry 0 Packets

dropped

Tenant Application

Cisco Confidential 13

Centralized Compliance

and Auditing

Import / Export Policy via API

(Support for External Policy Engines)

Automated Services

Chaining

Engineering Legal Sales HR Finance Marketing

ACI SECURITY WITH MULTITENANCY

Complete Isolation with

Full Scalability and

Security

Policy Separated from

Network Forwarding

Policy

Engine

ENABLING A DYNAMIC ENTERPRISE WITHOUT COMPROMISE

APIC

Encrypted Controller

Communication

Advanced Role Based

Access Control

Cisco Confidential 14 © 2013-2015 Cisco and/or its affiliates. All rights reserved.

Attributes Based Intra-EPG Based EPG Based

Cisco ACI Delivers Flexible, Granular, Consistent Microsegmentation

Attributes Based Micro-segmentation

VMware VDS, Microsoft Hyper-V, KVM*, Cisco AVS, Physical

ACI Benefits

PROD

POD DMZ

SHARED

SERVICES

Basic DC Segmentation

DEV

TEST

PROD

Application Lifecycle

Segmentation

WEB

APP

DB

Service Level

Segmentation

Network-Centric

Segmentation

VLAN 1 VXLAN 2

VLAN 3

FW

OS

‘Linux’

IP

‘1.1.1.1’

FW

Name

‘Video’

Intra-EPG Isolation

All Workloads Can

Communicate

Application Tier Policy

Group

Isolate Workloads within

Application Tier


Group

Quarantine Compromised Workloads

Isolate

VMware VDS Microsoft Hyper-V KVM* Cisco AVS

Policy Driven Micro-segmentation for Any Workload

Physical

*Future

L4-7 PARTNERS ADC AND FIREWALL

se

rvic

e p

rofile

pro

vid

ers

inst

inst

…

Firewall

inst

inst

…

Virtual ADC

Serv

ice

Gra

ph

….

begin end stage

1

….. stage

N

Web

Serve

r

App Tier

A

App

Serve

r

App Tier

B

Chain

“Security 5”

Service

Insertion

CENTRAL CONTROL

POINT FOR NETWORK

AND L4-7 SERVICES

PHYSICAL &

VIRTUAL

APPLIANCES

VISIBILITY,

ANALYTICS,

FORENSICS

AUTOMATE

COMPLIANCE,

CENTRALIZED AUDIT

L4-7 Services Partners

APIC

Attributes Based Intra-EPG Based EPG Based

Cisco ACI Delivers Flexible, Granular, Consistent Microsegmentation

Attributes Based Micro-segmentation

VMware VDS, Microsoft Hyper-V, KVM*, Cisco AVS, Physical

ACI Benefits

PROD

POD DMZ

SHARED

SERVICES

Basic DC Segmentation

DEV

TEST

PROD

Application Lifecycle

Segmentation

WEB

APP

DB

Service Level

Segmentation

Network-Centric

Segmentation

VLAN 1 VXLAN 2

VLAN 3

FW

OS

‘Linux’

IP

‘1.1.1.1’

FW

Name

‘Video’

Intra-EPG Isolation

All Workloads Can

Communicate


Group

Isolate Workloads within

Application Tier


Group

Quarantine Compromised Workloads

Isolate

VMware VDS Microsoft Hyper-V KVM* Cisco AVS

Policy Driven Micro-segmentation for Any Workload

Physical

*Future

HW Overview

ASIC Portfolio For Nexus 3000/9000

Merchant

Merchant + Cisco

1st Gen Switches: 2013–2015

40nm

28nm

Trident T2

ASE, ALE

Merchant

2nd Gen Switches: 2016+

28nm

16nm

Tomahawk

Trident 2+

LSE, ASE2

40nm

Scale

• Route/ Host tables

• Encap normalization

• EPG/ SGT/ NSH

Telemetry

• Analytics

• Atomic Counters

Optimization

• Smart Buffers

• DLB/ Flow Prioritization

Driving Innovation to Deliver Choice Next-Gen Nexus 9K Portfolio With Cloud Scale Technology

25G at Price of

10G; 100G at

Price of 40G

2.5x Bandwidth at

Same Price

Cloud Scale

Technology

Up to 12x Scale

of Competition

Embedded

Security,

Analytics, and

Telemetry

at 100G Wire Rate

Open

Choices

for SDN

and Network

Automation

Nexus 9000 Migration Flexibility

SCALE PERFORMANCE INVESTMENT PROTECTION

Convergence of ACI Spine and NX-OS Aggregation in one line card

Flexible path from 40G to 100G

Larger route tables and buffer (Cisco ASIC)

Density with Choice (144Gx10G, 144x25G, 72x50G per card)

Larger route tables and buffers (Cisco ASIC)

Analytics/ Netflow* support (Cisco ASIC)

High Density Designs

Up to 72p fixed w/ Cisco ASIC

40G ACI Spine

40G NX-OS Agg.

10G Server Access

10G/40G FEX Agg.

Unified 40/50/100G

10G/25G/40G/50G

Server Access

10G/40G/100G FEX

Agg.

CY13-15 CY15/16+

* Hardware Ready, Check software roadmap for enablement timelines

Nexus 9000

Cisco Cloud Scale

Technology

Scale 5x host scale (750k vs. 120k)

15x IPv6 routes (384k vs. 20k)

2x MAC address scale (512 vs. 288k)

Price/

Performance 25G at the cost of 10G

100G at the cost of 40G

Visibility Flow-let based

congestion detection

Per-flow Visibility (5x

of NetFlowv9)

Security Any Encap (VXLAN, MPLS)

VxLAN single-pass

Multi-Speed 10/25/40/50/100G

w/ investment protection

How Do You See Your Business Benefiting from Automation of Your Network?

Network Automation – Zero Touch Provisioning

Automated Topology Discovery

Plug & Play Device Attach

Automated Image Management

Policy Based Upgrade

Automated Fabric Configuration

and Addressing

150 Nodes Deployed, < 1 Hour - Large Service Provider

Network

Automation

Enterprise Software Company

L4-L7 Services Automation

Automated Addition/Removal

of ACL rules when an

Application is Created/Deleted

Automation delivers better

security - Denial log will help

us what type of traffic is hitting

the policy

Automation - Dynamic

Endpoint Attachment helps

identify new host detection

and assignment to right EPG

16X Reduction in Access Lists

Many Data Center customers use multiple firewalls and

its hard for them to keep up with ACL changes

Cisco Confidential

25


ACI SOLVES REAL CUSTOMER CHALLENGES

Reduce Network Provisioning

58% Reduce

Management Costs

21% Reduce Power

and Cooling Costs

45% CAPEX

Reduction

25% Compute and

Storage Optimization

10 – 20%

Greater

Business

Agility

Lower

Capital

Expenses

Reduced

Costs /

Complexity

Lower

Operating

Cost

Resource

Optimization

VXLAN OVERLAYS OVERVIEW

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Customer Needs VXLAN Delivered

Any workload anywhere – VLANs limited by L3 boundaries

Any Workload anywhere- across Layer 3 boundaries

VM Mobility Seamless VM Mobility

Scale above 4k Segments (VLAN limitation) Scale up to 16M segments

Secure Multi-tenancy Traffic & Address Isolation

VTEP VTEP VTEP VTEP VTEP

VXLAN Overlay


LIMITED SCALE

Flood and learn (BUM)- Inefficient Bandwidth Utilization

Resource Intensive – Large MAC Tables

LIMITED WORKLOAD MOBILITY

Centralized Gateways – Traffic Hair-pining

Sub-Optimal Traffic Flow


VXLAN Overlay

Barrier for Scaling out Large Data Centers and Cloud Deployments


INCREASED SCALE

Eliminates Flooding

Conversational Learning

Policy-Based Updates

OPTIMIZED MOBILITY

Distributed Anycast Gwy

INTEROPERABLE

Standards Based

BGP-EVPN

VXLAN


Route

Reflector

Route

Reflector

BGP-EVPN VXLAN Overlay

BGP Peers

Breaking the VXLAN Fabric Scale Barriers

OPERATIONAL

FLEXIBILITY

Layer 2 or Layer 3

Controller Choice

VXLAN Fabric with BGP-EVPN Control Plane


VTEP

Local LAN Local LAN Local LAN Local LAN

IP Transport Network

VTEP

VTEP VTEP

VXLAN VNI

LAN Segment

Underlay Network:

• IP routing – proven, stable, scalable

• ECMP – utilize all available network paths

Overlay Network:

• Standards-based overlay

• Layer-2 extensibility and mobility

• Expanded Layer-2 name space

• Scalable network domain

• Multi-Tenancy


Overlay services

– Layer-2

– Layer-3

– Layer-2 + Layer-3

Tunnel

Encapsulation

Underlay transport network

• Peer discovery mechanism • Overlay L2/L3 Unicast traffic

• Route learning and distribution mechanism

– Local learning

– Remote learning

Control Plane

• Overlay Broadcast, Unknown (Layer-2)

traffic, Multicast traffic (BUM traffic)

forwarding

Data Plane