Application Centric Infrastructure

Transcription

1

2 Application Centric Infrastructure René Raeber, Distinguished Engineer IEEE DCB Architect, Datacenter Patent Reviewer

3 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary 3

4 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

5 Cloud SOA=> SOI =>XaaS Client Server Minicomputer/PC Mainframe

6 Data Center Demands Business Process Agility Regulatory Compliance Business Challenges Security Threats Budget Constraints Cloud Data Deluge Technology Trends Energy Efficiency Proliferation of Devices

7 What is Security? The conscious or unconscious acceptance of a risk in The relation conscious of the or unconscious probability of acceptance this becoming of a to risk be reality in a certain time and relation of the probability of this becoming to be reality

8 Focus on IT Economics

9 Cisco s Phased Datacenter Approaches Unified Datacenter Datacenter Business Advantage Insieme Datacenter-3.0 Nuova Cisco-Fusion Cisco-Blue Andiamo Crescendo

10 Traditional Datacenter Center Architectures

11 Data Centers Need to Evolve Distributed Fabric Based Application Driven Cloud Cloud Monitoring Apps Programmable Provisioning Apps Networking Apps End- User Apps Provisionable Fabric L2, L3 Compute Compute Storage Storage Services Services L2, L3 Compute Compute Storage Storage Services Services Manual Provisioning Limited scaling Rack-wide VM mobility Policy-based Provisioning Scale Physical and Virtual/Cloud DC-wide/Cross-DC VM Mobility Integrated Fabric and Cloud World of Many Clouds Service-centric Provisioning Flexible Anywhere, Anytime Cross-cloud VM Mobility

12 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

13 A NEW OPERATING MODEL IS REQUIRED TRADITIONAL NETWORKING MODEL TODAY S SDN MODEL FUTURE MODEL Network of Devices Software-Based Network Virtualization Application Centric Infrastructure Proven and Reliable Existing Infrastructure Model Existing Application Model Many Data Center today Does not remove Complexity Disjoint Overlay and Underlay Multiple Management Points Radical Simplification Centralized Automation with Application Profiles SW Flexibility with HW Performance Applications will drive the network behavior and NOT the opposite

14 Application Centric Infrastructure Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility T h e A C I B u i l d i n g B l o c k s CONTROLLER POLICY MODEL NEXUS 9500 and 9300

15 SPINE LEAF ARCHITECTURE SINGLE POINT OF CONTROL APIC SCALABLE ARCHITECTURE PHYSICAL AND VIRTUAL HYPERVISOR HYPERVISOR HYPERVISOR

16 Any Application, Anywhere, Any Time Physical and Virtual Common Application Network Profile F/W L/B WEB L/B APP DB CONNECTIVIT Y POLICY SLA QoS APIC SECURITY POLICIES Security QOS APPLICATION L4..7 SERVICES STORAGE AND COMPUTE Load Balancing APP PROFILE HYPERVISOR HYPERVISOR HYPERVISOR

17 COMMON POLICY AND OPERATIONS FRAMEWORK Cloud Cloud Admin Application Admin Web Tier External Zone App Tier APPLICATION DB Tier Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin INFRASTRUCTURE

18 COMMON POLICY AND OPERATIONS FRAMEWORK Cloud Cloud Admin Application Admin APPLICATION External Zone Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin COMMON POOL OF RESOURCES

19 FABRIC INITIALIZATION & MAINTENANCE 3 6 Fabric will self assemble starting from multiple IFC sources 2 Spine switch discovers attached Leaf via LLDP, requests TEP address and boot file via DHCP Leaf switch discovers attached IFC via LLDP, requests TEP address and boot file via DHCP 5 Fabric can be discovered and initialized from multiple sources concurrently 7 APIC IFC Cluster APIC APIC IFC Cluster will form when members discovery each other via Appliance Vector (AV) 1 IFC bootstrap configuration 1) IFC Cluster Configuration 2) Fabric Name 3) TEP Address space (Infra-VRF) 4) All nodes in the same APIC cluster should contain same bootstrap information if they are intended to form a cluster 4

20 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

21 The Data and Policy Model Controller Identity Location Policy End Points Group End Points Application Network Profiles ACI Fabric (and attached SLB and FWs) Manage the entire Data Center (network and network security) - Easier Infrastructure Changes - Security decoupled from IP - Policy: virtual or physical servers - Elasticity Decoupling Identity from Location

22 Application Policy Infrastructure Controller APIC Unified point of fabric automation and management including application policies Distributed clustered software running on x86 appliance Central management of Fabric: End point policies Firmware Spine / Leaf Imaging Inventory Topology Monitoring / Troubleshooting Compute Integration 3 rd party integration Application Policies APIC GUI, CLI and RESTful APIs APIC Distributed Cluster Massive Scale-Out and N+2 Redundancy

23 END-POINTS Things that connect to the fabric and use it to interface with other things A compute, storage or service instance attaching to a fabric ifabric NIC vnic... end-points [ EP ]

24 END-POINTS Things that connect to the fabric and use it to interface with other things A compute, storage or service instance attaching to a fabric EP EP EP... A collection of end-points with identical network behavior form a end-point group [ EPG ] All EPs share common properties Connectivity Security/Access control QoS Services

25 END-POINT GROUPS EPGS EPG APP SERVER policies Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. Can flexibly map into EPG WEB application tier of multi-tier app segmentation construct (ala VLAN) a security construct ESX port group EP EP EP end-point group [ EPG ]. All EPs share common properties.. Connectivity Security/Access control QoS Services

26 END POINT GROUP CONTRACTS provider End points in group WEB can access end-points in group APP SERVER according to rules specified in the contract consumer EPG APP SERVER contract EPG WEB EP EP EP... Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. filter action filter identifies subject to which actions filter will be applied L4 port ranges TCP options filter action identifies actions applied to the subject action QoS Log Redirect into SVC graph action defined bi-directionally in the provider centric way

27 EXAMPLE : CISCO IT SOFTWARE SERVICES DEPLOYMENT Tenant: Storage Services EPG Internal NAS EPG DMZ NAS Tenant: Software Services EPG Software DB C C EPG: Softw Distr C C EPG Upload EPG Download EPG Software C C C EPG Internet Tenant: Middleware EPG Services Portal DB C C EPG OCM EPG Softw Portal EPG Internal Login EPG DSX C C C C EPG Tools EPG Login C C EPG Finance DB C EPG Cisco Internal

28 APIC Screen shot s

29 Mapping to SDN Today Imperative Control Declarative Control Policy Mgr + Control Plane SDN Controller OpenFlow + OVSDB Data Plane Elements Control System Admin APIC Policy Mgr No standard protocol exists Control + Data Plane

30 IETF-Opflex A flexible, extensible policy protocol OPFLEX is a new extensible policy resolution protocol designed for declarative control of any datacenter infrastructure. OPFLEX was designed to offer: APIC Policies Who can talk to whom What about Topology control Ops stuff 1. Abstract policies rather than devicespecific configuration 2. Flexible, extensible definition of using XML / JSON Opflex Agent Opflex Agent Opflex Agent Opflex Agent 3. Support for any device vswitch, physical switch, network services, servers, etc. Opflex Proxy Legacy API Opflex Agent Firewall Opflex Agent Hypervisor Switch Opflex Agent ADC

31 Open Ecosystem, Open APIS Hypervisor Management Automation Tools Orchestration Frameworks System Management READ / WRITE ALL FABRIC INFO APIC TENANT AND APPLICATION AWARE Security ASA PUBLISHED DATA MODEL OPEN SOURCE A Platform approach to Data Centre infrastructure Industry Standard Compliant

32 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

33 INNOVATIONS MERCHANT+ ASIC APPROACH Innovation in Cisco ASICs PRICE PERFORMANCE COST INDUSTRY STRUCTURE LEADING PRICE / for LINE 1G CARD to 1/10GT BANDWITH and G Tbps to per 40G slot migration 100G ready PORT PROGRAMMABILITY POWER DENSITY EFFICIENCY 20% JSON/XML STATE HIGHER OF THE API ART 36 Linux BACKPLANE Port Container 40 Gig FREE Nonblocking customer DESIGN Density apps for 15% greater power and cooling efficiency NEXUS 9000 PRICE PERFORMANCE PORT DENSITY PROGRAMMABILITY POWER EFFICIENCY

34 Fabric Standalone Two Software Modes Topology No change Forwarding No change Migration from Standalone to Fabric Mode is possible Common Hardware Nexus: Enhancements Mode Code adjustments Standalone Mode devices controlled separately 93xx Topology Change 40 Gig (100Gig future) Forwarding (Enhancements) Major Change Change Data Model Policy Model ACI (Application Centric Infrastructure) Mode Fabric Mode Central Controller

35 + Merchant+ strategy combination of merchant and custom silicon.

36 Merchant + Strategy Merchant Broadcom Trident 2 Used in Standalone & Fabric Modes Used in Fabric Mode only Custom Cisco Northstar Cisco Alpine Merchant+ strategy combination of merchant and custom silicon.

37 SCALABLE 1 GE/10 Gbps/40 Gbps/100 GE PERFORMANCE Nexus 9000 switch family FCS Q Nexus 9300 Nexus /10G SFP+ & 12 QSFP+ FCS Q Aggregation line card 36 40G QSFP+ FCS Q /10G-T & 8 QSFP+ FCS Q ACI Ready Leaf Line Card 48 1/10G-T & 4 QSFP+ FCS Q port QSFP+ GEM FCS Q ACI-ready Leaf line card 48 1/10G SFP+ & 4 QSFP+ FCS Q C Slot FLEXIBLE FORM FACTORS CAN ENABLE VARIABLE DATA CENTER DESIGN AND SCALING PERFORMANCE PORTS PRICE POWER PROGRAMMABILITY

38 Switching Portfolio Industry leading density and price / performance 48/96 port 4 slot (Mar 14) 8 slot 16 slot (Mar 14) Height 2/3 RU 6-7 RU 13 RU 21 RU I/O Module Slots 1 GEM Fabric Capacity per System (Tbps) Max Wire Rate 10G ports Max Wire Rate 40G ports Application NA 15 Tbps 30 Tbps 60 Tbps Future Top of Rack Access Small Aggregation Small Aggregation, Co-location EoR Access or High Density Aggregation/Spine High Density Spine Upgradeable to Fabric

39 FULL Application visibility A Single View of your Application in a distributed environment HEALTH SCORE 96 % LATENCY 5 Microsecond(s) DROP COUNT 25 Packets Dropped VISIBILITY 7 3 VMs Physical Application Delivery Controller Firewall Cisco Confidential Connect, Riyadh, Saudi Arabia, April 29-30,

40 QSFP BIDI Overview 40

41 40G BIDI OPTICS PRESERVE EXISTING 10G CABLING SIGNIFICANT TRANSCEIVER SAVINGS 10G Optical Link Jumper Cable Patch panel Trunk Cabling (100m) Patch panel Jumper Cable Traditional 40G Optical Link Complete Replacement +$6,259* +$2,200* 40G BiDi Optical Link Reuse all 10G Cabling/Patch Panels $4,059 SAVINGS (LIST) PER 40G LINK Source: Corning OM3 Cable & Patch Panel list prices, Cisco 40G BiDi list price, Competitors 40G SR4 list price

42 Normalized Bandwidth Cost vs. Port Speed Fixed & Modular Switches 1 Gbps 10 Gbps 40 Gbps 1G 10G 40G 100G

43 Normalized Bandwidth Cost vs. Port Speed Modular Switches 1 Gbps 10 Gbps 40 Gbps 1G 10G 40G 100G

44 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

45 CLOS Fabric

46 ARRAY S

47 ARRAY S

48 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

49 Let s Analyze a Tree Structure The Leaves The Branches Branch Size Decreases The Root

50 Spanning Tree Takes a Perfectly good Meshed Network and reduces it to a Tree!

51 Spanning Tree is NOT anymore Adequate! Solutions that Keep All Link Forwarding Are More Desirable

52 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

53 Why Overlay s? Physical Network

54 Overlay Comparison Layer 2 Layer 3 Extra Bits Overhead (Bytes) Legacy Network Multipath Merchant silicon Vendors VxLAN 70 Insieme, VMWare, Cisco Standard NvGRE 62 Insieme, MSFT Likely Likely LISP? 70 (56) Cisco Likely STT Nicira (VMWare) Unlikely

55 Agenda Introduction Application Centric Infrastructure 1. Policy Model & Controller 2. The Fabric 3. The Data Plane 4. The Control Plane 5. Overlay s? Questions & Summary

56 ACI Launch NYC

57 MAKING NETWORKS SIMPLE IS NOT TRIVIAL APPLICATIONS ARE TIGHTLY COUPLED TO THE NETWORK 10,000s ACLs Separate for Physical and VMs APPLICATION CENTRIC INFRASTRCUTURE Integrated Security Policies and Mobility Centralized Visibility and Automation APIC STORAGE STORAGE Inefficient Forwarding Optimized Forwarding No Flooding F/W WEB F/W APP F/W Application Profile and Policy DB F/ W DB DB Default Gateway Default Gateway FHRP VPC STP Excessive Protocols Multicast Limitations Multicast Multi-Pathing and Fast Reroute No Legacy Layer 2 Operations Decouple Application from Infrastructure

58 Security Evolution to Application Centric Infrastructure Without ACI Application Owner With ACI Orchestration Platform as a Service Platform as a Service Partial Automated Provisioning Compute Networking E2E Automated Provisioning Compute Networking Storage Storage *Application Policy Infrastructure Controller 58

59 Defining and Applying Network Setup and Policy Today vs. ACI Define Setup And Policy App Sec Net Today ACI App Sec Net Controller Define Setup and Policy Translate Setup and Policy Network and Policy Instantiate Net Net Weeks Minutes Translate Policy Instantiate Policy Security Configuration Network Switch Configuration Load balancer Configuration Tenant permit tcp host host eq www permit tcp host host eq 443 permit tcp host host eq permit tcp host host eq www permit tcp host host eq 443 permit tcp host host eq permit tcp host eq www permit tcp host eq 443 permit tcp host eq Vlan Routing Trunking VIP Listing port Forwarding port http SLB protocol Servers to forward to EPG: DB Application Network Profile C EPG: App C EPG: Web Multiple Devices: Switches, Load-Balancers, Firewalls Faster Instantiation Portability Better Visibility Re-Usability 59

60 Application Centric Infrastructure (ACI) Summary Value Case Automation Savings 58% Cost Savings Data Center Access Access Control List (ACL) Local/Global Server Load Balancing Network Provisioning Provisioning SLA Improvement Data Center Access 38 % Access Control List (ACL) Local/Global Server Load Balancing 43 % 41 % Network Operations & Management Service Management 21% Cost Savings Incident Management Problem Management Event Management Data Center Network Compute Storage Compute Optimization Type of Saving % Storage (NAS) Optimization CAPEX Savings 25% Power Savings 45% Space Savings 19% 4x Increase in Bandwidth (10Gbs > 40Gbs) 12 % Optimization 20 % Optimization * Single Fabric * Single Fabric

61 Organization Implications Cisco Infrastructure Team Journey Virtual Teams COMPUTE STORAGE SECURITY NETWORK ARCHITECTURE DESIGN IMPLEMENTATION OPERATIONS Network UC/Video Infrastructure as a Service 61

62 Normative ACI Application Centric Infrastructure APIC Application Policy Infrastructure Controller DFA Distributed Fabric Automation VDP Virtual Station Interface Discovery Protocol VXLAN - Virtual extensible Local Area Network VXLAN Segment - VXLAN Layer 2 overlay network over which VM s communicate VXLAN Overlay Network - another term for VXLAN Segment VXLAN Gateway - an entity which forwards traffic between VXLAN and non-vxlan environments VTEP - VXLAN Tunnel End Point - an entity which originates and/or terminates VXLAN tunnels VLAN - Virtual Local Area Network VM - Virtual Machine VNI - VXLAN Network Identifier (or VXLAN Segment ID) ACL - Access Control List ECMP - Equal Cost Multipath IGMP - Internet Group Management Protocol PIM - Protocol Independent Multicast SPB - Shortest Path Bridging ToR - Top of Rack TRILL - Transparent Interconnection of Lots of Links

63 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Note: This slide is now a Layout choice Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit 63

64