plnog14: application centric infrastructure introduction - nick martin

Cisco Confidential 1C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved.

Nick Martin

C97-730020-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

UCS DirectorOpenstack

UCS Manager

Application

PolicyInfrastructure

Controller

Converged Infrastructur

e

Managers

v

C

e

n

t

e

r

System

Center

Process Orchestrator 3rd Party

Orchestrators

IaaS PaaSSaaS

Capacity

planningIntercloud

Prime Services Catalogue Stack Designer

Intercloud

Fabric

VRA/ / BMC

etc

P

u

p

p

e

t

S

C

V

M

M

Charge

back

3rd

Party

CPU

O

D

L

Analytics and

Service Assurance

S

t

o

r

a

g

e

Manual

Processin

g


Apic

Fabric ControllerACI Spine Nodes

ACI Leaf Nodes

• ACI Fabric provides:

‒ Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology

‒ Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, IETF NVGRE

‒ Distributed Layer 3 gateway to ensure optimal forwarding for Layers 3 and 2

‒ Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)

‒ Service insertion and redirection

‒ Removal of flooding requirements for IP control plane (ARP, GARP)

APIC


• ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing

‒ All end-host (tenant) traffic within the fabric is carried through the overlay

‒ Mobility,

‒ “Carrier grade“ multi-tenancy

‒ Integration with emerging hypervisor designs

IP fabric with

integrated overlay

APIC


• Quick example: with 1,000 servers, 10% of those are100 physical workloads!

• If you take 30 VMs/host, the remaining 900 VMs would fit in30 physical hosts

• You would have more than three times the racks with bare-metal servers than racks with VMs(assuming all servers have the same size)


VXLAN

VNID = 5789VXLAN

VNID = 11348

NVGRE

VSID = 7456

Any to Any

802.1Q

VLAN 50

Normalized

Encapsulation

Localized

Encapsulation

IP Fabric Using

eVXLAN Tagging

PayloadIPVXLANVTEP

• All traffic within the ACI Fabric is encapsulated with a VXLAN header

• External VLAN, VXLAN, NVGRE tags are mapped at ingress to an internal VXLAN tag

• Forwarding is not limited to, nor constrained within, the encapsulation type or

encapsulation ‘overlay’ network

• External identifies are localized to the Leaf or Leaf port, allowing re-use and/or translation

if required

Payload

Payload

Payload

Payload

Payload

Eth

IPVXLAN

Outer

IP

IPNVGREOuter

IP

IP802.1Q

Eth

IP

Eth

MAC

Normalization of Ingress

Encapsulation

APIC


10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35

• ACI Fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or

endpoint IP stacks

• ACI Fabric provides optimal forwarding for Layer 2 and Layer 3

‒ Fabric provides a pervasive SVI, which allows for a distributed default gateway

‒ Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint

• IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP

header (elimination of flooding)

Distributed Default Gateway Directed ARP Forwarding

APICAPIC


• The forwarding table on the Leaf switch is divided between local (directly attached) and global entries

• The Leaf global table is a cached portion of the full global table

• If an endpoint is not found in the local cache the packet is forwarded to the ‘default’ forwarding table in the

spine switches (1,000,000+ entries in the spine forwarding table)

10.1.3.11 fe80::462a:60ff:fef7:8e5e10.1.3.35

Proxy A Proxy A Proxy B Proxy B

fe80::62c5:47ff:fe0a:5b1a

10.1.3.35 Leaf 3

10.1.3.11 Leaf 1

Leaf 4

Leaf 6

fe80::8e5e

fe80::5b1a

10.1.3.35 Leaf 3

Proxy A*

10.1.3.11 Port 9

Global station table

contains a local cache of

the fabric endpoints

Local station table

contains addresses of all

hosts attached directly to

the iLeaf

Proxy station table contains

addresses of all hosts attached

to the fabric


EFT Customer Scale


ACI is managed via Policy

ACI Fabric

Non-Blocking Penalty Free Overlay

App DBWeb

Outside

(Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure Controller

APIC


Control & Audit Connectivity

(Security – Firewall, ACL, …)

IP Address, VLAN, VRF

Enable Connectivity

(The Network)

Application Requirements

IP Addressing

Application Requirements

Application Specific Connectivity

Dynamic provisioning of

connectivity explicitly defined for

the application

Application RequirementsApplication RequirementsRedirect and Load Balance Connectivity

IP Address, VLAN, VRF

ACI directly maps the application

connectivity requirements onto the

network and services fabric


APPLICATION VS. NETWORK TWO LANGUAGES

APPLICATION LANGUAGE

?

NETWORK LANGUAGE

• VLAN

• IP Address

• Subnets

• Firewalls

• Quality of Service

• Load Balancer

• Access Lists

• VRFs

• Application Tier Policy and

Dependencies

• Security Requirements

• Service Level Agreement

• Application Performance

• Compliance

• Geo Dependencies

• Tenants


ACI policy model brings the concept of End-Point Group (EPG)

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTP

Service

HTTP

Service

HTTP

Service

HTTP

Service

EPG - Web

EPGs are a grouping of end-points representing application or

application components independent of other network constructs.

POLICY MODEL


Ex.: EPGs, Subnets and Policy

EPGs separate the addressing of an application

from it’s mapping and policy enforcement on the network.

10.10.10.x

10.10.11.xPolicy/Security

enforcement

occurs at the EPG

level

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTP

Service

HTTP

Service

HTTP

Service

HTTP

Service

EPG Web


Applying Policy between EPGs: ACI contracts

EPG A

EPGB

EPG CContract 02

The policy model allows for both unidirectional and bidirectional policies.

Contracts define the way in which EPGs interact.

Unidirectional

Communication

Bidirectional

CommunicationContract 01

Ex: ACI Logical Model applied to the “3-Tier App” ANP


P P P

App DBWeb

Outside

Client(s)

QoS

Filter

QoS

Service

QoS

Filter

Could be many VMs

Could be mix of physical/virtual machines

Mostly physical

resources

App

Network

Profile

P = Defined Policy

“The Application / Service”

ACI and Today’s 3-Tier applications

18


Application Policy Model And Instantiation

All forwarding in the fabric is managed through the application network profile

• IP addresses are fully portable anywhere within the fabric

• Security and forwarding are fully decoupled from any physical or virtual network attributes

• Devices autonomously update the state of the network based on configured policy requirements

DB Tier

Storage Storage

Application

Client

Web Tier App Tier

Application policy model: Defines the

application requirements (application

network profile)

Policy instantiation: Each device

dynamically instantiates the required

changes based on the policies

VM VMVM

10.2.4.7

VM

10.9.3.37

VM

10.32.3.7

VMVM

APIC


DECLARATIVE VS IMPERATIVE


Imperative Control

Ele

me

nts

Co

ntr

ol S

yste

mA

dm

in

Declarative Control

Policy Mgr

Control + Data Plane

APIC SDN Controller

Policy Mgr + Control Plane

Data Plane

OpenFlow + OVSDBNo standard protocol exists


Imperative has issues

Failures often need to be resolved by Controller

No paper

Requires all knowledge in Controller

Needs to know who has what

Uses lowest common denominator set of features.

Controller becomes bottleneck

Many requests being issued

Lots of error handling


vCenter DVS SCVMM

Relationship is formed between APIC and Virtual Machine Manager (VMM)

Multiple VMMs likely on a single ACI Fabric

Each VMM and associated Virtual hosts are grouped within APIC

Called VMM Domain

There is 1:1 relationship between a Virtual Switch and VMM Domain

VMM Domain 1

Control Channel - VMM Domains

vCenter AVS

VMM Domain 2 VMM Domain 3

24


+• Software-only overlays and hardware networks do not exclude each other per definition.

• If an organization wants to run a software overlay like NSX or Nuage, ACI is the best transport network they can run it on.


OpenStack Managed Network Workflow

2

ACI Admin

(manages physical

network, monitors tenant

state)

L/B

EPG

APPEPG DBF/W

L/B

EPG

WEB

Application Network Profile

Create End Point Groups

(any-any allow)

3

5ACI

Fabric

Push Policy

APIC

OpenStack Tenant

(Performs step 1,4) Instantiate VMs

Web WebWebWeb AppApp4

Create Network, Subnet,

Security Groups

NEUTRON ROUTERSECURITY

GROUP

1

DB DB

HYPERVISOR HYPERVISOR HYPERVISOR

NOVANEUTRON

NEUTRON NETWORK

Automatically Push

Network Profiles to

APIC


Group Based Policy Workflow

2

ACI Admin

(manages physical

network, monitors tenant

state)

L/B

EPG

APPEPG DBF/W

L/B

EPG

WEB


Create Application Policy

3

5ACI

Fabric

Push Policy

APIC

OpenStack Tenant

(Performs step 1,4) Instantiate VMs

Web WebWebWeb AppApp4

Create Application Network Profile

1

DB DB

HYPERVISOR HYPERVISOR HYPERVISOR

NOVANEUTRON

Automatically Push

Network Profiles to

APIC

L/B

EPG

APPEPG DBF/W

L/B

EPG

WEB



ACI is managed via Policy

ACI Fabric

Non-Blocking Penalty Free Overlay

App DBWeb

Outside

(Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure Controller

APIC


Innovation Driving Application Performance

Congestion Management

60% 60%

90%

Network Innovations

Dynamic Load Balancing

Dynamic Packet Prioritization

Network Utilization


Application AwarenessApplication-Level Visibility

Actions:

No new hosts or VMs

Evacuate hypervisors

Re-balance clusters

PetStore Event

PetStore Dev• Leaf 1 and 2

• Spine 1 – 3

• Atomic counters

PetStore Prod• Leaf 2 and 3

• Spine 1 – 2

• Atomic counters

PetStore QA• Leaf 3 and 4

• Spine 2 – 3

• Atomic counters

VXLAN

Per-Hop Visibility

Physical and

Virtual as One

ACI Fabric provides the next generation

of analytic capabilities

Per application, tenants, and

infrastructure:

• Health scores

• Latency

• Atomic counters

• Resource consumption

Integrate with workload placement or

migration

Triggered Events

or Queries

APIC


1. Extend L2 into ACI

2. Configure ACI for this L2 extension

3. Create new EPG and contracts for the workloads to move into

4. Move Workloads

5. Move HSRP Default Gateway over to ACI

6. Turn off the existing Network

Easy.

( you can do 4 and 5 in any order and might choose never to do 6!)


ACI and Nexus 9000Business Outcomes and Benefits for Cisco IT

Reduce Network

Provisioning

58%Reduce

Management

Costs

21%Reduce Power

and Cooling

Costs

45%CAPEX

Reduction

25%Compute and

Storage

Optimization

10–20%

Greater

Business

Agility

Lower Capital

Expenses

Reduced

Costs/

Complexity

Lower

Operating

Cost

Resource

Optimization

plnog14: application centric infrastructure introduction - nick martin

Internet

cisco andor

integrated overlay aci

aci fabric ip network

ietf vxlan

encapsulation type

reuse andor translation

location independent

baremetal servers