Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco
Agenda Introduction Architecture / Principle Design Rollout Key Highlights Outlook Conclusion
Introduction
Who We Are Maker of small business software 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Who We Are Company and Business Strategy Customer driven innovation Heavily focused on cloud and mobile Multiple application suites Application / developer centric 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Who We Are IT / Network Strategy Critical to offer following features and functions Agility Expose API to end user Allow end user control Infrastructure abstraction Enable East-West traffic growth 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Architecture / Principles
Legacy Data Center Design North South traffic pattern application Layer 2 segmentation 3-Tier design Security classification by trust and execution level 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Data Center Network Design Principles Application Aware Integrate application and network to interact with event or pattern-driven changes Simplified Security Security policies centrally managed and logged Security zones flattened (compliance treated separately) Abstracting the security policies from infrastructure Hybrid Cloud capable Ability to leverage the private/public cloud; not tied to a datacenter dependency Location agnostic policy-driven configurations Visibility Single dashboard that provides end-to-end visibility around health and performance Simplified Migration, ease of operation, associating metadata and associating the policy with the application vs the infrastructure Predictable Performance Consistent, predictable performance Flexible Purpose-built modular environments with smaller layer 3 domains allowing for expansion (spine leaf) Availability Network resiliency appropriate to the tier and aligned with app resiliency Programmable Common workflows via APIs for self-service consumption 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Intuit Data Center Architecture - Fabric SP1 SP2 MPLS MPLS P2P P2P P-Cloud P-Cloud BR BR BR BR BR BR BR BR C C Fabric Backbone BL BL BL BL BL BL BL x N BL S S S S S S S S SL SL L L L L L L SL SL L L L L L L Service Compute Storage Compliance Service Compute Storage Compliance 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Selection of ACI Interviewing multiple SDN platforms in the market focusing on principles Abstraction of underlying infrastructure Management and visibility of physical infrastructure Compute agnostic (BM / VM) Supporting incumbent hypervisor (vcenter/esx 5.5 at the time of deployment) Fully supported restful API 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Design
ACI Fabric Design Overview Tenant: Common Storage VRF Management Storage Secure multi-tenancy App, Compute and Network Visibility DC Operations, DC Automation Network Capacity and Bandwidth Any Workload, Any VLAN, Any Where App: Prod Default VRF Web EPG App EPG DB EPG External Connectivity App: Pre-Prod Web EPG App EPG DB EPG App: Compliance Compliance VRF Web EPG App EPG DB EPG 100+ Tenants with RBAC 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ACI Fabric Design Highlights Tenants / Contexts Application centric multi-tenant approach Tenants, application profiles and EPGs are created based on execution /functional segments Context/VRFs and bridge domains(bd) are created in tenant common for shared external access and BD subnets can be advertised out through BGP Three (3) major context/vrfs one for compliance zone, one for non-compliance zone, and one for storage network All accesses in and out of the compliance zone pass through ASA firewall for stateful access control. Access between EPGs within compliance zone is controlled by regular contracts/filters 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ACI Fabric Design Highlights Cont d Bridge Domain / Storage / Contracts Fewer bridge domains with larger subnet shared by EPGs from multiple user tenants Decouple BD/IP from application Endpoints can be moved from EPG to EPG without changing their IP addresses Allow ease of application deployment through the app env lifecycle Leveraging unidirectional TCP contract/filers and vzany contract/filters for optimized policy TCAM resource use IP storage vnic/endpoints and IP storage filers are contained in their isolated context and fully utilize benefit of vzany contracts 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Network Service Design Firewall Service Insertion ASA with two logical interfaces, one to compliance context and one to default context, acts as a router between the two contexts Centralized access policy control/configuration through APIC Restful API, same automation tool for configuring fabric contracts and ASA ACEs Leveraging dynamic EPG feature in device package, ACEs can be configured based on EPG name L4-L7 service parameters are configured under application profile level, one centralized place per tenant for configuring and updating service policies One main ASA service graph template for all tenants 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Inter-Site Access Policy Consistency ACI Toolkit Application Preserving ACI group based policy model between sites EPGs stretched for policy extension across fabric/dcs L3out ExtEPG in site2 for EPG in site 1 and vise versa Dynamically sync endpoints for stretched EPGs between sites Using existing L4-L7 service graphs between the DCs DC#1 DC#2 DB Web Extension using Layer3 Out IP Network App 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Rollout
How We Did This Project plan and logistics More time allocated for POC than traditional deployment Four months in POC lab, one and a half months for two data center production deployment Management support Resources from cross functional teams for POC and post-deployment WAR Room Platform team for vcenter / vmm integration Storage team for storage build out Application teams for EPG, contract build out Security team for compliance requirements review Network operations team for monitoring and general operational support Automation team for scripting and integration portal 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Production Fabric Deployment Project plan Complete replica of the production in the lab Multiple iteration of POC rebuild until dual data center build Full integration testing of applications during POC Leverage SVS lab for design / scaling verification Unenforced mode for initial application on-boarding and validation Script to build out production Discovery / registering of switches Deployment of BD, EPG, contracts Reduce deployment schedule Leveraged scripts 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Key Highlights
Automation Tools Dashboard Leverage Graphite tool Python based polling script Trend data as well as status 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Automation Tools Rango Python based Subscribing to classes of configuration over websocket ex: fvaepg for application end point group Leverage separate DB Contract End point profile search 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Automation Tools Loom Python based Standard tool to deploy contract (ACL), EPG, and static binding No direct access to APIC GUI Network team only for exception Series of Validation Service chained to CMDB and change request 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Network Changes - Legacy vs Fabric Change rate 3500 3000 2500 2000 1500 1000 500 0 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 Legacy Fabric 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Network Changes Manual vs Automated Automation rate Automated Network Changes - ACI Fabric vs Legacy 120.00% 100.00% 80.00% 60.00% 40.00% 20.00% 0.00% Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Non-Fabric Automated Fabric Automated 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Customer Testimony From BU Leaders The most important gain for us is in the Contract vs ACL difference. Though it requires some initial setup that is comparable to our legacy environments, all subsequent deployments into an application automatically have the necessary network access. This means a savings of anywhere from 1 to 7 days or more on every deployment, depending on size and complexity. We can provision a server in a matter of minutes, execute post-provisioning via Chef, and hand it off to the requesting business unit in a matter of hours instead of days. On top of that, many network tasks that are required can now be automated or executed directly from my team leading to even more efficiency. This again saves us days waiting for a central network team to complete our requests. 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Outlook
Future Plan Plans and projection Expansion of existing fabric 196 more leafs within next 18 months More BU / applications Upgrade of APIC for leveraging new features ingress only policy SGT (security tag) based policy on ASA Distributed / software based load balancing Micro-segmentation of fabric 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Challenges
ACI Network Design Technical challenges Understanding of ACI as programmatic approach vs legacy network device Multi-Fabric and contract enforcement Inter-site tool Compatibility to legacy How to handle contract to legacy ACL mapping IP group, security Tag Operational learning curve Engage Cisco services as early as possible TCAM Scale test revealed the potential resource constraint in border leaf Added new pairs of border leafs and policy based routing 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Conclusion
Conclusion Key Takeaways Leverage programmability and automation Team members who knows REST and scripting Planning is the key Application team and platform team integration and input from beginning design stage Must fully understand the application traffic flow Spend enough time to lab, POC to understand ACI Joint project planning with Cisco team is must work closely with Cisco AS team, leverage Cisco Solution Validation Services(SVS) 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Thank you