Migration from Classic DC Network to Application Centric Infrastructure

Transcription

1

2 Migration from Classic DC Network to Application Centric Infrastructure Kannan Ponnuswamy, Solution Architect, Cisco Advanced Services

3 Acronyms IOS vpc VDC AAA VRF STP ISE FTP ToR UCS FEX OTV QoS BGP PIM IaaS PaaS MTIaaS XaaS SECaaS SaaS TAC VSG ASA RIP CPU CDP ARP Network Programmability ACI 3

4 Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco Nexus 9300 Nexus 7000 Nexus 5000 Nexus 2000 / FEX Nexus 1000 Router Load Balancer Firewall Storage Virtual Machine VMware vcenter 4

5 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

6 Policy Driven Merchant+ ACI Overview External Network POLICY WEB POLICY APP POLICY DB Application Virtualization APIC Networking Physical HYPERVISOR HYPERVISOR HYPERVISOR 6

7 Nexus 9000 Series Network Ops Driven, Switch Automation User Driven, Policy Based Fabric Automation Per-Box Programmability Open, Flexible, & Choice of Programmability Modes Policy Controller, Centralized Fabric Programmability 1/10/40/100GE Common Platform APIC 7

8 Migration Paths to ACI Classic mode Growth Addition Network refresh Current DC Infrastructure ACI Integration New environments Service Chaining Dev, Test ACI Migration Business drivers Security, Compliance, TCO, Programmability, Operations etc. ACI Fabric 8

9 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

10 ACI Deployment and Migration Deployment Design and deploy new ACI POD Integration Extend ACI to your existing POD Migration Migrate workloads to use new ACI POD 10

11 Deploying an ACI POD

12 ACI Fabric Initialization ACI Fabric ACI Fabric supports discovery, boot, inventory and systems maintenance processes via the APIC Fabric Discovery and Addressing Image Management Topology validation through wiring diagram and systems checks APIC APIC APIC 12

13 ACI Forwarding Model Tenant VRF_Context_One Bridge Domain One EPG_1 VRF_Context_N EPG_ /16 Bridge Domain One / /16 Bridge Domain N EPG_N EPG_N Non-IP, L2 forwarding only EPG_Legacy A Tenant refers to one or more VRFs/Contexts A Context/VRF is referred to by one or more Bridge Domains (BD) Bridge Domains identify properties influencing forwarding behavior. One or more subnets, ARP handling, Multicast etc. A collection of end-points form an end-point group(epg). EPG associates to a BD. EndPoints Identified by: Physical or Virtual Switch ports, VLAN ID, VNID Future - NVGRE (VSID), DNS hostname, IP address 13

14 ACI Policy Model C Contracts define what an EPG exposes to other EPGs and how EPG MGMT C Tenant Application Profile C EPG Web C EPG App C EPG DB C EPG NFS Contracts are reusable for multiple EPGs and EPGs can inherit multiple contracts 14

15 ACI Policy Model What is a Contract C filter action Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. filter identifier to which actions filter will be applied L4 port ranges TCP options filter action identifies actions to be applied action Permit QoS Log Redirect to Services action defined bi-directionally in the provider centric way 15

16 No Such Thing as Enough Security McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf 16

17 Cisco ACI Hypervisor Integration VMWare DVS APIC 5 Create Application Policy F/W Application Network Profile EPG WEB L/B EPGAP P EPG DB APIC Admin 9 Push Policy (Lazy) ACI Fabric 1 Cisco APIC and VMware vcenter Initial Handshake 6 Automatically Map EPG To Port Groups 4 Learn location of ESX Host through LLDP 2 Create VDS VIRTUAL DISTRIBUTED SWITCH VI/Server Admin vcenter Server 8 Instantiate VMs, Assign to Port Groups 7 3 Create Port Groups Attach Hypervisor to VDS WEB PORT GROUP APP PORT GROUP DB PORT GROUP Web App HYPERVISOR DB Web Web HYPERVISOR DB 17

18 ACI Adoption Strategies ACI Fabric Model = New OPERATIONS Model + DESIGN Model Leverage Known APPLICATIONS Constructs (decoupled from Network) Leverage Known NETWORKING Constructs OPERATIONS DESIGN HYBRID: Leverage BOTH APPLICATIONS & NETWORKING Centric Constructs OPERATIONS DESIGN OPERATIONS DESIGN ACI Fabric New ACI Fabric Operational Model 18

19 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

20 / / / /30 Network Centric Deployment example 1 VRF + 1 VLAN Classic mode shown here for Reference ACI Fabric APIC Blue Tenant and Context Policies /24.3 VRF Blue Routing VLAN 10 HSRP Access List QoS etc..101 Bridge Domain Blue_ /24 EPG blue_1 External EPG Exchange Routes (Blue).101 VLAN Classic Access Switches Tag Tag could be VLAN ID or VNID 20

21 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 1 Classic mode shown here for Reference ACI Fabric APIC Vlan 10,11 Blue Tenant and Context BD Blue_1 ( /24) EPG blue_1 BD Blue_2 ( /24) EPG blue_2 Policies External EPG Exchange Routes (Blue) VLAN 10 ( /24) VLAN 11 ( /24) Tag 2101 Classic Access Tag

22 Network Centric Configuration 22

23 Configuring ACI Forwarding Unicast Routing: The forwarding method based on predefined forwarding criteria (IP or MAC address). The default is layer 3 forwarding (IP address) L2 Unknown Unicast: forwarding method for unknown layer 2 destinations. The method can be flood or proxy (default) ARP Flooding: Specifies whether ARP flooding is enabled. If flooding is disabled, unicast routing will be performed on the target IP address. Can be on or off (default) 23

24 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs FW is the Def. GW Classic mode shown here for Reference ACI Fabric APIC Blue Tenant and Context BD Blue_1 BD Blue_2 Exchange Routes (Blue) Vlan 10,11 EPG blue_1 EPG blue_2 External EPG VLAN 10 ( /24) Tag 2101 Classic Access Tag 2102 VLAN 11 ( /24) 24

25 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 2 Classic mode shown here for Reference 1. Policies are based on EPG 2. Forwarding is based on BD attributes ACI Fabric What if different policies between two groups mandated separate VLANs in Classic Networks. APIC Vlan 10,11 Blue Tenant and Context EPG blue_1 BD Blue_ /23 X EPG blue_2 Policies External EPG Exchange Routes (Blue) Classic Access VLAN 10 ( /24) Tag 2101 Tag 2102 VLAN 11 ( /24) 25

26 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 3 Classic mode shown here for Reference What if two VLANs was only due to ARP broadcast concerns. 1. Forwarding based on destination IP Address for intra and inter subnet (Default Mode) 2. Hardware based directed ARP forwarding APIC ACI Fabric Vlan 10,11 Blue Tenant and Context BD Blue_ /23 EPG blue_1 Policies External EPG Exchange Routes (Blue) VLAN 10 ( /24) VLAN 11 ( /24) Classic Access Tag

27 Network Centric ACI Integration

28 Extension of the ACI Overlay to remote AVS ACI Extended Overlay ACI VXLAN Extended Overlay Infrastructure VRF Extended VTEP VTEP VTEP VTEP L2 or L3 Direct Attach Endpoints vswitch Hypervisor Attached Endpoints (VLAN or VXLAN) VTEP AVS VTEP AVS ACI Policy overlay can be extended over existing IP networks Full ACI VXLAN Switching Enabled Hypervisor 28

29 Forwarding within the Extended Overlay Adding Remote Physical Leaf Nodes, Nexus 9000 VTEP VTEP VTEP VTEP VM VTEP AVS VM VTEP AVS vswitch VM VM VTEP AVS VTEP AVS VM VM VM VM

30 Forwarding within the Extended Overlay Adding Remote Physical Leaf Nodes, Nexus 9000 VTEP VTEP VTEP VTEP VM VTEP AVS VM VM VTEP AVS vswitch VM VTEP AVS VTEP VTEP AVS Nexus 9000 as a remote ACI Leaf Support for full policy based forwarding, atomic counters, zero touch install, health scores VM VM VM VM

31 Extending ACI Policy Based Forwarding into Existing Data Center Networks (1HCY15) 1. Extend Policy Based Forwarding 2. Extend Visibility, Fault and Audit 3. Automated Device Management for extended Fabric nodes ACI Enabled Remote N9K N5K N3K N6K vswitch AVS vswitch AVS HyperV OVS Extended ACI Fabric 31

32 Network Centric ACI Migration

33 / /30 Network Centric Migration Example VRF + 2 VLANs Layer 3 Routing Static, OSPF, BGP APIC Vlan 10,11 Migration Layer 2 vpc Trunk Blue Tenant and Context L2_ Out BD Blue_1 EPG blue_1 BD Blue_ /24 EPG blue_2 Policies L2_ Out External EPG.101 VLAN 10 ( /24) VLAN 11 ( /24).102 STP compatibility with Classic Network VLAN 10 maps to BD Blue_1 VLAN 11 maps to BD Blue_2 Classic Devices are still the Default Gateway Equally applicable to L4-7 services (FW/LB) in the Classic Network Flooding enabled on ACI BDs during migration Once migration completed, insert needed services and move Default Gateway ACI BDs 33 Access Tag 2101 Tag 2102 Tag could be VLAN ID or VNID.

34 ACI Integration and Migration ACI Fabric 10G/40G to ACI Layer 3 Layer 2-1GE Layer 2-10GE 10 GE DCB 10 GE FCoE/DCB 4/8 Gb FC 34

35 ACI Integration and Migration Forwarding Flow ACI Fabric L3 L2 Default Gateway moves to ACI Leaf layer EPG = VLAN / Subnet (initial step) Host / FEX can migrate to Leaf (overtime) Migration Path 10G/40G to ACI Layer 3 Layer 2-1GE Layer 2-10GE 10 GE DCB 10 GE FCoE/DCB 4/8 Gb FC 35

36 Many Migration Options Phase 1: Layer 2 Existing Network/Local Switching OpFlex OpFlex Option 3: Interconnect existing POD to Fabric AVS AVS Option 2: Migrate FEX to 9300 Option 1: Migrate FEX to

37 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

38 Deployment Example Hybrid Approach Classic mode shown here for Reference External Network APIC.2.3 Blue Tenant and Context BD Blue_ /24 EPG 11 EPG One-web BD Blue_ /24 EPG Two-web Policies EPG Three-web External EPG Exchange Routes (Blue) VLAN 11 Access ( /24 Tag 2011 VLAN 10 ( /24) Tag 100 Tag 101 Tag 102 AppOne s WebServer AppTwo s WebServer AppThree s WebServer AppOne s WebServer AppTwo s WebServer AppThree s WebServer External Network 38 38

39 Hybrid (Network and Application Centric) ACI Migration

40 ACI Migration for Hybrid Approach Exchange Routes (Blue) APIC External EPG BD Blue_2 Policies Blue Tenant and Context Classic L2 Extension. EPG 11 EPG One-web BD Blue_1 EPG Two-web EPG Three-web VLAN 11 ( /24 VLAN 10 ( /24) AppOne s WebServer AppTwo s WebServer AppThree s WebServer STP compatibility with Classic Network VLAN 10 maps to BD Blue_1 VLAN 11 maps to BD Blue_2 Classic Devices are still the Default Gateway Flooding enabled on ACI BDs during migration Equally applicable to L4-7 services (FW/LB) in the Classic Network Once migration completed, insert needed services and move Default Gateway ACI BDs Access Tag 2011 Tag 100 Tag 101 Tag

41 Virtual Environment Migration Example L3 L2 L3 vcenter vshield L3 N7K N7K ACI Fabric N5500 N5500 L2 L2 L3 L2 L2 L3 VMware vswitch, DVS, N1kV APIC Created VMware DVS / Cisco AVS APIC Created VMware DVS / Cisco AVS vmotion / Cold Migration 41

42 ACI Virtual Migration Assistant User and Workflow driven Multiple scenarios vswitch ACI DVS ACI N1kv ACI Any Combination ACI Cisco Advanced Services 42

43 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

44 Application Centric Migration Building the Application Profile an Example Oracle Internet Expenses 44

45 Application Centric Migration Building the Application Profile an Example Other Applications Intranet Border Leaf TCP: *,443 C C C Active Directory 45

46 Application Centric Migration Building the Application Profile an Example C Intranet Border Leaf C C Expenses EPG C Extranet Border Leaf C Oracle RAC DB 46

47 ACI Deployments for Known Application Profiles Internet WAN / DCI ACI POD for Greenfield or well understood applications Spine L3 L2 N7K N7K ACI Introduction N9K N9K Leaf N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300 V Integrated L4-L7 Services Physical & Virtual 47

48 Defining Profiles for Applications in Use Common Customer Challenges Lack of confidence on existing information CMDB, Single Source of Truth (SSOT), IPAM etc. Not knowing End-Point (EP) details Identification In-use vs decommissioned Unsure on App Host association List of L4 ports: Client or Server EPs classification and Application grouping assignment Customer needs guidance Application End Point Groups and associated policies 48

49 Application Network Profile Discovery Unknown Application Network Profiles Web Tier App Tier DB Tier F/W LB FW LB F/W LB WEB 1 FW LB APP 1 DB 1 F/W LB WEB 2 FW LB APP 2 DB 2 F/W LB WEB 3 FW LB APP 3 DB 3 49

50 ACI Deployment Assistant (Pre Migration) Comprehensive Application Dependencies Multiple Application Network Policies Application, Server Mapping Automate Physical, Virtual Migration Cisco Advanced Services Application Dependency Analysis Network and Server data correlation Application fingerprinting Customer input APIC Network Discovery: Device Configurations Protocol State Traffic Capture HYPERVISOR HYPERVISOR HYPERVISOR Server Discovery: Servers Process Network Stats 53

51 ACI Migration Summary ACI designed from the ground-up to be Application Centric Flexible and customizable to fit your business needs A phased approach: Grow, Integrate, Migrate Solution flexible to be Network Centric, Application Centric or a Hybrid approach 54

52 Agenda Application Centric Infrastructure (ACI) Overview Migration to ACI Network Centric Hybrid Approach Application Centric Planning for the future with Nexus

53 Classic Mode Adoption Nexus 9000 Series Aggregation Catalyst Replacement New access POD or Catalyst Replacement New Aggregation, Access POD N9500 C6500 Layer 3 Layer 2 N7K Layer 3 Layer 2 N9500 Layer 3 Layer 2 N5K vpc N9300 vpc N9300 vpc vpc N2K vpc N2K vpc N2K vpc VM #2 VM #3 VM #4 VM #2 VM #3 VM #4 VM #2 VM #3 VM #4 56

54 Classic Mode Adoption - VxLAN on Nexus 9000 Series Workload mobility L2 Multipathing VXLAN Gateway (VXLAN to VLAN) VXLAN Bridging (VXLAN to VXLAN at L2) VXLAN Routing Routing between VXLANs and VLAN to VXLAN Anycast Gateway for vpc setup VXLAN Overlay 57

55 Classic Mode Tools for Nexus 9000 Series On CCO: Catalyst 6500/4500 IOS to Nexus 9000 NX-OS Configuration Converter 58

56 Open Source for Nexus 9000 Series Community contributed code and samples Sample scripts for automation, operations and general use Python Modules to aid in rapid development For custom use cases, development could be done by your in-house team Cisco Advanced Services 59

57 Nexus Deployment and Migration Assistant Deployment Design and deploy new Nexus POD Integration Extend L2, L3 to new Nexus POD Migration Migrate ports to use new Nexus POD 60 60

58 Nexus Deployment Assistant Cisco AS Best Practices POD builder questionnaire Select technology you would like to deploy Select aggregation, access devices, line cards Select connectivity requirements Select protocol settings and other configuration 61

59 Nexus Deployment and Migration Tool Nexus Deployment Assistant + Selective Catalyst IOS to Nexus 9000 config migration Current Device Module Selected Interfaces Access Switch #1 WS-X6548-GE-TX GigabitEthernet1/1 GigabitEthernet1/2 GigabitEthernet1/3 GigabitEthernet1/4 Access Switch #2 WS-X6748-GE-TX GigabitEthernet3/1 GigabitEthernet3/2 GigabitEthernet3/3 Target Device vpc Pair NewAccess1 NewAccess2 Module N9K-X9564TX Target Interfaces Ethernet1/1 Ethernet1/2 Ethernet1/3 Ethernet1/4 GigabitEthernet3/4 62

60 Nexus Deployment and Migration Tool Cisco AS Best Practices Automate Nexus 9000 deployment and configuration Catalyst and Nexus 9000 integration and end device migration Migrate any Catalyst 6500 topology to any Nexus 9000 topology Catalyst Environments Nexus Deployment VSS Si Si Si Si Deployment Assistant Si Si Si Si Cisco Advanced Services 63

61 ACI Migration Summary ACI designed from the ground-up to be Application Centric Flexible and customizable to fit your business needs A phased approach: Grow, Integrate, Migrate Solution flexible to be Network Centric, Application Centric or a Hybrid approach Thank You!! 64

62 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 65

63 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 66

64

65