Cisco SDN 解决方案 ACI 的基本概念 Presented by: Shangxin Du(@shdu)-Solution Support Engineer, Cisco TAC Aug 26 th, 2015 2013 Cisco and/or its affiliates. All rights reserved. 1
Type Consumption Delivery Big data, distributed, mobile Cloud public, private, hybrid Any where, any time, any device 78 % Network is even more critical to delivering applications than a year ago* * Cisco Global IT Impact Survey 2013 Cisco and/or its affiliates. All rights reserved. 2
New Server Platforms Enabling Higher I/0 Throughput Virtual Machine Density Driving I/0 Performance Big Data Increasing East-West Traffic VM VM VM VM VM VM HYPERVISOR 10G LOM/FlexLoM Shipping *4 Intel Haswell (2 Sockets x 12 Cores) *2 24 VMs/ Server *1 DATA CENTER IP TRAFFIC GROWTH 25% CAGR (2012-2017) *3 *2 Intel Xeon E5 Spec *4http://h30507.www3.hp.com/t5/Coffee-Coaching-HPand-Microsoft/HP-FlexibleLOM-for-Gen8/ba-p/108515 Faster SERVER Refresh Cycle 2-3 YRS 2.5 YEARS 5 YEARS NETWORK refresh cycle of 5 yrs. should cover two server refresh cycles *1 IDC Worldwide Virtual Machine 2013-2017 Forecast *3 Cisco Global Cloud Index: Forecast (2012-2017) 2013 Cisco and/or its affiliates. All rights reserved. 3
Networks are complex! They are the next silo to experience major shift 1 st Gen SDN solutions look to meet the new technical challenges. 2013 Cisco and/or its affiliates. All rights reserved. 4
APIC App Agility Simplification/ Abstraction Deliver New Revenue Streams Faster Risk and OpEx Reduction Centralized Provisioning & Visibility Lowered OpEx Automation & Programmability Reduced Risk Reduced CapEx 2013 Cisco and/or its affiliates. All rights reserved. 5
APPLICATION LANGUAGE NETWORK LANGUAGE Application Tier Policy and Dependencies Security Requirements Service Level Agreement Application Performance Compliance Geo Dependencies Tenants? VLAN IP Address Subnets Firewalls Quality of Service Load Balancer Access Lists 2013 Cisco and/or its affiliates. All rights reserved. 6
SIM Card Identity for a Phone Service Profile Identity for a Server Application Profile Identity for the Network UCS Service Profile Unified Device Management Network Policy Storage Policy Server Policy 2013 Cisco and/or its affiliates. All rights reserved. 7
Group Policy Model Topology/ Service Graph GROUP 1 GROUP 2 GROUP 3 WAN LB to Group 2 Connect to Group 2 Firewall Connect to 3 High Priority PRODUCTION POD DMZ 10s of Profiles VLAN 1 VXLAN 2 1000s of Profiles SHARED SERVICES DEV TEST VLAN 3 WEB APP 1 Profile PROD 100s of Profiles DB Level of Segmentation/ Isolation/ Visibility 2013 Cisco and/or its affiliates. All rights reserved. 8
EXISTING 3-TIER DESIGNS PROGRAMMABLE SDN OVERLAY MODEL APPLICATION PROFILES & POLICIES APIC DC Core DC PODs Existing 2-Tier & 3-Tier Designs Open API: Programmability Modernized Operating System Nexus OS VXLAN Bridging & Routing Integrated Network Virtualization OpenFlow Support Application Centric Infrastructure No VM Tax: Any Hypervisor Physical & Virtual Open API s & Controller 2013 Cisco and/or its affiliates. All rights reserved. 9
OPEN SOURCE OPEN STANDARDS NSH VXLAN OpFlex OPEN INTERFACES JSON XML REST OpFlex 2013 Cisco and/or its affiliates. All rights reserved. 10
OPFLEX PROTOCOL + ECOSYSTEM APIC OPFLEX OPEN SOURCE Open source OpFlex agent will be available to anyone OPEN STANDARD Co-authors for IETF submission P/V SWITCH ROUTERS L4-7 SERVICES OPEN ECOSYSTEM Broad, growing support including from hypervisor, network, and L4-7 vendors 2013 Cisco and/or its affiliates. All rights reserved. 11
Security Expressed in Application Language Lifecycle Management Policies Track Workloads Visibility, Analytics, Forensics Automate Compliance, Centralized Audit Distributed Security Across Physical and Virtual Centrally Managed & Fully Automated 2013 Cisco and/or its affiliates. All rights reserved. 12
ESX Bare Metal Linux Container ACI Integrated Security - Open, Flexible, Policy Driven F/W ADC WEB ADC APP DB MGMT VMOTION Consistent Audit, Logging, & Visibility FIPS / CC / PCI / RBAC 2013 Cisco and/or its affiliates. All rights reserved. 13
APIC NOV 6 th 2013 THE JOURNEY BEGAN ON THE NORTHBOUND 2013 Cisco and/or its affiliates. All rights reserved. 14
1. Leverage Existing Nexus/ IP Network 2. Deploy ACI: New Pods For Cloud Build Outs 3. Extend ACI Model. Preserve - IP networks, L4-7 Services, Hypervisors Existing Network PoDs (Nexus, etc.) Nexus 7000 DCI Augment with Nexus 9300 PROFILE Nexus 9300 Nexus 9500 / 9300 ACI Fabric Nexus 9300 ESX Hyper-V OVS Bare Metal AVS ACI POLICY ESX Bare Metal Hyper-V AVS OVS 2013 Cisco and/or its affiliates. All rights reserved. 15
SOLUTION ACI + VNOMICS + SAP BW ON SAP HANA SAP STACKS FOR VBLOCK, FLEXPOD, VSPEX SAP BW on SAP HANA SAP BW on SAP HANA Application Models SAP BW on SAP HANA Deployed on Cisco ACI EXTEND ACI TO 20 DIFFERENT SAP APPLICATIONS APPLICATION NETWORK PROFILE BWHANA BENEFITS ACCELERATE DEPLOYMENT OF SAP BW ON SAP HANA + CISCO ACI SAP Business Warehouse Infrastructure Models Policies BWCITier BWCITier BWCITier HANA StorageTie r HANADBTier HANAStorageBWDITier BWCITierPublicBW RAPID ANALYSIS, TROUBLESHOOTING OF SAP LANDSCAPE HANA HANA HANA SapHanaSql NfsUdp SapBW SapBWCI Contracts SCALE SAP APPLICATION CAPACITY WITHOUT COMPLEXITY MONITORING AND AUTOMATIC REMEDIATION 2013 Cisco and/or its affiliates. All rights reserved. 16
$100K STARTING STARTING AT 200 PORTS SCALING TO 100K+ PORTS 8K MULTICAST GROUPS (PER LEAF) 1M IPV4 / IPV6 END POINTS 64K TENANTS 576 40G PORTS WIRE-RATE (PER SPINE) BUILT FOR THE GROWING COMMERCIAL ENTERPRISE TO THE LARGEST SERVICE PROVIDERS 60 TBPS CAPACITY (PER SPINE) 2013 Cisco and/or its affiliates. All rights reserved. 17
It s critical that we are able to deliver hundreds of thousands of transactions per second, so latency and 40G throughput is a number one concern. After evaluating numerous vendor solutions, Cisco's Nexus 9000 switching platform provided us with the best performance to support our evolving data centers, while protecting existing IT investments." Bob Hammond, CTO, Millennial Media Symantec is an early adopter of Cisco's ACI, leveraging the technology within our own Agile Data Center. Cisco ACI brings the scalability and efficiency we need while enabling us to truly bring next generation networking capabilities to our customers. Jon Sanchez, Director of Data Center Services, Symantec 2013 Cisco and/or its affiliates. All rights reserved. 18
Greater Business Agility Lower Capital Expenses Reduced Costs/ Complexity Lower Operating Cost Resource Optimization 58% Reduce Network Provisioning 25% CAPEX Reduction 21% Reduce Management Costs 45% Reduce Power and Cooling Costs 10 20% Compute and Storage Optimization 2013 Cisco and/or its affiliates. All rights reserved. 19
Tenant Customer/ BU/ Group Private Network Private Network Context /VRF Bridge Domain Bridge Domain Bridge Domain L2 Boundary Subnet A Subnet B Subnet D Subnet B Subnet F IP Space(s) A B C A C B End Point Groups 2013 Cisco and/or its affiliates. All rights reserved. 20
Tenant 1:n one to many n:n many to many Direct Relationship Indirect Relationship/Link 1 1 1 1 1 1 n n n n n n Outside Network Application Profile 1 n n Endpoint Group 1 n Bridge Domain Subnet 1 n Private Network n Contract 1 n Subject n Filter n 2013 Cisco and/or its affiliates. All rights reserved. 21
Logical Representation 2013 Cisco and/or its affiliates. All rights reserved. 22
The bridge domain is not a VLAN, although it can act similar to a VLAN; you instead should think of it as a distributed switch. On each leaf VLANs will be translated with local significance. The bridge domain references a VRF instance called a Private Network. The subnets and gateways for the workloads are defined as part of the bridge domain. 23 2013 Cisco and/or its affiliates. All rights reserved. 23
Tenant Application A Private Network Application B Application B Application C Policy Policy 2013 Cisco and/or its affiliates. All rights reserved. 24
WebServices_ HTTPS Service HTTPS Service HTTPS Service HTTP Service HTTP Service HTTPS Service HTTP Service HTTP Service s are a grouping of application or application components independent of other network constructs. 2013 Cisco and/or its affiliates. All rights reserved. 25
A Policy/Security enforcement occurs at the level HTTPS Service HTTPS Service HTTPS Service HTTPS Service 10.10.11.x HTTP Service HTTP Service 10.10.10.x HTTP Service HTTP Service s separate the addressing of an application from it s mapping and policy enforcement on the network. 2013 Cisco and/or its affiliates. All rights reserved. 26
Application Profile Inbound/Outbound Policies (Contracts) Inbound/Outbound Policies (Contracts) Application Network profiles are a group of s and the policies that define the communication between them. 2013 Cisco and/or its affiliates. All rights reserved. 27
Contracts define what an exposes to other s and how Contracts are reusable for multiple s and s can inherit multiple contracts Tenant Application Profile C Web C App C DB Contracts Group of Subjects. Scope Definition (Global, Tenant, AP) Subjects Filters Group of Filters. Unidirectional / Bi-direction, QoS & Service Graph Insertion Point Lowest Level ACL 2013 Cisco and/or its affiliates. All rights reserved. 28 28
Thank you.